<TABLE width=500>
3 [: }1 G$ n0 U+ \6 f. o) h3 K4 I<TBODY>4 u, o& U- H$ B6 Q2 |( C# P, T
<TR># U. c+ i* e( J
<TD><PRE>Method 01
+ Q# p* u% K9 `6 o* F/ `& F========= G0 m8 `* B; L' n: ]
$ G( E" R8 w# I% t6 ZThis method of detection of SoftICE (as well as the following one) is
! ]# E3 N8 d4 t ~6 Fused by the majority of packers/encryptors found on Internet./ r$ {( }% X7 F- M/ g
It seeks the signature of BoundsChecker in SoftICE
9 [! n' W9 b) N. z% Z$ s; k* e/ k, f" u% a$ S( T5 j- L
mov ebp, 04243484Bh ; 'BCHK'( |. E! J& [1 p/ o, s
mov ax, 04h
" w+ f- l1 a1 F/ N- w# k int 3
8 a8 B3 A7 P/ Y# u6 z' ^$ ?/ b2 G: t cmp al,4 [: P7 h, L, r6 ~$ ?
jnz SoftICE_Detected
. L U \9 H- _0 @8 x7 a
: w+ f* y" r$ x9 B* }, Z& t- q___________________________________________________________________________. {# @' {- A6 [3 A: S" L: `
6 x0 I9 b0 l1 X6 F! f+ x& \
Method 02
: \2 ]" I7 W" W, H0 I, N4 X7 Q=========
2 {) s/ P7 Y" ^2 W5 B; {# ]
; k0 j- t% J- S- c1 u- qStill a method very much used (perhaps the most frequent one). It is used
( C5 D+ _: l' U% W! d' Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! G( t" ]6 G2 E- J2 Bor execute SoftICE commands..." {) \9 G; U+ X2 L4 k
It is also used to crash SoftICE and to force it to execute any commands
' g$ |# g1 r. }5 F- {3 z4 T0 t(HBOOT...) :-((
" T3 { ^* [" `$ D* Z9 g$ i5 W) l2 \1 T1 m( }1 T- X N. C& Q7 b+ p6 O6 e6 m
Here is a quick description:
4 D* U9 |+ N3 U6 v) s8 c-AX = 0910h (Display string in SIce windows)
8 q, S. g0 ]% S: i0 t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ f0 @/ ~ A" K7 d" A
-AX = 0912h (Get breakpoint infos)( m' z, Z0 ~( C$ u' ?
-AX = 0913h (Set Sice breakpoints)6 L6 ~! P& e% W7 F7 E
-AX = 0914h (Remove SIce breakoints)
* V6 M" ?& c) s# ]& _ F6 M
+ b) V' X; g. o/ nEach time you'll meet this trick, you'll see:* a% S$ E( H$ o3 L: [: F( }. b; W1 k
-SI = 4647h; ^5 v+ {! x0 M' d, H
-DI = 4A4Dh
! f* e9 T9 W, B8 B: f9 @( |& |+ m* EWhich are the 'magic values' used by SoftIce.
# N4 J# X* i! _) e, W* C/ {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. b5 U% n/ M6 m' T( a* m N5 ?' c0 T6 j9 W' i" ]% J$ @4 y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 T1 L6 S4 B# p; ?3 i# t) gEnvelope utility use to protect DOS applications: G7 k* Y% [; J1 j( }
0 a- r$ | {- L" ~2 |+ K
9 h# y; t% c/ _+ z, ?4C19:0095 MOV AX,0911 ; execute command.0 h4 ~. X: R! B/ Y7 G/ {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 |0 _0 Q. {0 {. m) C8 w
4C19:009A MOV SI,4647 ; 1st magic value.. K8 _! @7 Z$ k, b5 }+ U
4C19:009D MOV DI,4A4D ; 2nd magic value.) G; T% T H- ]6 _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& Y+ F9 A% N5 Z3 a+ F4 I0 G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 ?# n0 S2 ~) K% f- V' H4C19:00A4 INC CX
7 f0 q! S; M9 N6 m) K2 c: P1 ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 F& P. f* d U4C19:00A8 JB 0095 ; 6 different commands.
. t a) G: L% w' f: d4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: d5 B) k9 w' }, E8 ]' r3 e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 o4 N. f0 ?) R' V0 a7 f9 M- x6 {
The program will execute 6 different SIce commands located at ds:dx, which
3 ~7 v* k. B7 f) X" o* Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' A2 d1 x L+ b) S( E- z" H0 G
8 ~* x5 h/ R9 Q7 h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# v, ~ y' ^ m4 {" Y# `) G
___________________________________________________________________________6 K" Y4 H' \" Z* i n
) T; G7 a7 j2 R( |0 P7 E
: ~1 i i& j( D: N: X* C
Method 03: v8 d+ w4 K, o* z
=========2 s* v( w9 `* ]; V8 ~
( |0 o7 P4 Y- x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ M+ ~1 H( P& D9 y+ o% t
(API Get entry point). ` P* s" F" X# } [$ R
- Y, d3 w+ I, a! W+ X* v/ z) t, {% C+ g3 W$ K1 p7 L. u5 i
xor di,di% S. f( f% L- x% E- I6 l$ u# n
mov es,di
8 f8 L' j7 F+ ? mov ax, 1684h & U0 Y; j/ l7 a1 x1 }3 [# m9 w
mov bx, 0202h ; VxD ID of winice/ b5 X! s$ Z+ P+ I
int 2Fh: S" D9 Z9 h: P& H; t: W
mov ax, es ; ES:DI -> VxD API entry point; i3 L8 F! v0 }* g+ w' _
add ax, di' w6 [5 D( U8 l" L0 c5 P
test ax,ax
! y8 L7 B9 ~3 ~2 @ jnz SoftICE_Detected
2 o- \( H4 T6 i0 y( _8 p2 |7 d; c7 {) g N, Z, r# d H" D
___________________________________________________________________________
! V; Y) z6 j+ F+ `: F
( \" T; p8 S% m+ ]Method 04
1 [" D( |5 x) S6 P) @=========
: }4 k. B7 s* c( x3 M0 [
$ I( r! K* X3 Q# g# UMethod identical to the preceding one except that it seeks the ID of SoftICE
+ U/ P# _# M' y( uGFX VxD.+ O. h9 u, L* a/ c& a* o
9 u( b( f. Z' l7 j1 {# {$ Z7 N; f xor di,di
% f/ j% Y6 Y- f6 j. G1 \' e3 I0 m mov es,di1 a$ O# z7 J( \$ _. O
mov ax, 1684h 1 v5 k' C! I/ q+ u9 ?0 m8 M
mov bx, 7a5Fh ; VxD ID of SIWVID
/ {2 _3 H+ Y4 ^. [, [. ? int 2fh
) e% {3 g, \. ^7 d mov ax, es ; ES:DI -> VxD API entry point
0 d; L/ N# }4 G! _' P0 d. ^ add ax, di
, {$ }0 x: o2 ~, x test ax,ax
# v5 w2 H# `& p; y, w, { jnz SoftICE_Detected, d+ V, C" a% Q/ I, Q0 Z
; b* f% ?8 r) S5 q {
__________________________________________________________________________
2 L+ g# {9 [, L7 O8 k- S5 p
; g# J) E$ z+ B A' t! \( D9 ]2 N& i. K/ `7 C4 g0 G
Method 05' B; s4 {4 D; |# q
=========1 g7 x* ^: L$ U# B: t
, l9 H" l0 w6 H1 H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ S6 ]! C; S) Q) xdebugger. It calls the int 41h, function 4Fh.
5 H* D; O: g/ iThere are several alternatives. $ B8 D+ M7 ?: G( q* s: n
( ~3 m7 ~2 W, RThe following one is the simplest:$ k' W& _+ G) W1 j5 f9 t
8 f+ R- S: n9 u2 @9 s, V" ]
mov ax,4fh
% y! q/ G$ V/ U int 41h* j' H2 S/ H* m& G y! X
cmp ax, 0F386
! k1 D$ T, Q) M jz SoftICE_detected
6 m9 d f3 R- l4 v8 c3 U, o! A6 Z
4 S; j6 {/ Q" f x% R2 b/ p5 r: {6 H) N
Next method as well as the following one are 2 examples from Stone's 2 e$ k$ J, q. `
"stn-wid.zip" (www.cracking.net):
. t; z( f, f0 N9 C1 ?
! f* h6 M8 C; M7 m mov bx, cs8 u( ^5 D K3 L/ u
lea dx, int41handler2
' W# ?( q/ e% |" n* n xchg dx, es:[41h*4]3 ^/ c5 V) |% ~7 w
xchg bx, es:[41h*4+2]
) ?6 y# a8 i; Y mov ax,4fh6 G* J& k4 o5 p
int 41h" A% m j% ~- k% U# E+ o+ c# s% Z
xchg dx, es:[41h*4]7 x% a- e8 J' k3 k2 t2 r! Q0 \
xchg bx, es:[41h*4+2]7 y" @/ [# i* H; x2 V/ _
cmp ax, 0f386h# R: _2 ]3 \6 O5 V A& i9 }
jz SoftICE_detected
, B/ I% x1 B) H! o# _7 Y6 t% b
% a1 v' q& C) k# S+ ?' l' Q$ uint41handler2 PROC
* u7 I( k& {) I- L% F' @ iret3 B; p7 W7 p4 b3 p
int41handler2 ENDP
' F% s/ v7 ?3 X$ j; M$ z
$ R8 g1 b/ Y* ^1 F
) O& M3 N- P7 d& T0 H_________________________________________________________________________3 e9 C6 Z( r, \+ }4 g
8 e& r5 \; c* }! Y3 b
6 d8 H% } ~4 q$ p: M- K1 zMethod 06
; J" k; n% l! h7 Z0 R=========
; K! x" h' g! ]- S9 J2 Q3 s6 d' T3 V* N: s( K% [! Q) ~
! j. r# ?/ j' I1 ?2nd method similar to the preceding one but more difficult to detect:
3 ]6 j9 K9 ?) ~4 N _+ ~ G* X; F8 |- X6 _+ c$ T8 W
5 K0 F$ x( u9 j- Z! T' oint41handler PROC/ v a) a! d8 k- g! G Z& p+ C
mov cl,al
- k) p" O0 l2 R% V iret E& [( a, |6 [! d+ g$ @+ l- R1 g
int41handler ENDP
0 [& d5 w; g: T5 M; j# M# a/ {( N# ] D0 C+ o5 Z. q
! G" S9 j( o" R
xor ax,ax
0 Y2 ?( V" S( p9 l: e mov es,ax
* S, g0 O) K5 d% V6 P- z, P, } mov bx, cs8 `) V' C O, u/ H$ k# K8 a
lea dx, int41handler3 A5 r/ K9 C3 d
xchg dx, es:[41h*4]
0 H3 n1 A0 g2 l6 A) V xchg bx, es:[41h*4+2]3 A5 w3 u+ K. E
in al, 40h0 w1 `4 q! ? j' y
xor cx,cx* X3 v1 M9 m4 n4 O- u _1 z! a
int 41h7 P+ Q2 D c8 S" S! W
xchg dx, es:[41h*4]: l* ^( L' D2 x: [
xchg bx, es:[41h*4+2]
7 b6 N5 j. J$ r- A cmp cl,al% L' p, E P' \/ X1 L/ r: r& W
jnz SoftICE_detected
2 \/ f" `+ c3 R* G6 t0 B# q- E7 ^ d! O0 P) S7 g! ~* Q) A$ d4 i
_________________________________________________________________________
- P" ^, U+ w/ d; T0 s" U* S; }( _4 \' U1 j- |
Method 07) l- s( A8 Z F; k; ?0 N
=========
, e1 v$ L' n1 f0 H" B% Z
2 C4 L- p; w, q ZMethod of detection of the WinICE handler in the int68h (V86)
" L: i1 v" C3 y O( u+ ?1 ^7 Y$ t; h# X3 D5 t5 f
mov ah,43h' F& X9 V! I6 M* y/ }* H
int 68h# T* C' y- `; e' @1 ]7 E
cmp ax,0F386h2 C: Z* c$ K3 D' N. M3 h
jz SoftICE_Detected2 X/ Z+ z7 ?* y! m8 E! M+ U
$ _) T# Z. w6 j4 V' ?- d2 b
: x- R9 P8 U- _6 R8 s! d* g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% H. ^3 ^" t+ P1 e app like this:
9 x% V) v' s I. \$ K: B0 J! {0 l8 J, Z6 p' k, p
BPX exec_int if ax==689 R( T" ?0 U3 y$ @
(function called is located at byte ptr [ebp+1Dh] and client eip is
( ^' {2 S+ F7 V5 R& p2 D located at [ebp+48h] for 32Bit apps)
1 U" a6 A: C) F' [% ^__________________________________________________________________________4 O$ q1 s Q0 \
& E$ t' K8 @" J, C5 }
+ K* S+ {2 v d) M5 K; u/ e* WMethod 08
5 n9 J9 X* K) E! v$ |( J2 U ^=========
6 u+ s& h% f5 N( B( u; S" x: R' S- Q# m
It is not a method of detection of SoftICE but a possibility to crash the
# T3 G2 ?: {: O) B; d* [system by intercepting int 01h and int 03h and redirecting them to another
& X+ w6 u4 c$ e$ U! B2 sroutine.
1 D- x6 c8 r t6 sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% Q' w# v( V) A6 ?to the new routine to execute (hangs computer...)8 m( F2 }) m# p
0 p, {! E( H J7 x$ a. M# g
mov ah, 25h
3 ?) [# x, G3 c% o a mov al, Int_Number (01h or 03h)
* P% R) |5 x6 W5 R8 B mov dx, offset New_Int_Routine
5 `, }+ h! y, X9 G/ S+ w% H5 b, n: W int 21h9 y" s. ^' Q+ S3 i
# a t F. _5 X* u1 b* W__________________________________________________________________________
- K& p$ r( @ y6 d l% T. j: K1 p6 \; _2 E( ^% U0 h* g3 ]7 {
Method 09: p+ M+ U- `- w6 ]
=========
* Q: w7 d' ?& p5 r5 |/ E8 Z" e1 ` y N; s7 G4 s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 _& B7 ?. n; L3 u/ X5 L
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 k2 m0 \7 ~' X* TThe Get_DDB service is used to determine whether or not a VxD is installed( |$ T- G" P G# O$ x& i$ |; Y. C. C
for the specified device and returns a Device Description Block (in ecx) for
1 u+ y F5 r! [% cthat device if it is installed.
% N! X1 i9 S1 ^: l$ x) u
1 X2 y3 S1 ~* [. m$ I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% f- g4 C" @( G7 g |7 @7 D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 I( F: K' u6 g U) J7 I
VMMCall Get_DDB
. b) O/ N ?8 \ w% s4 ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed m2 S$ e2 {3 I4 |; N0 g
5 v; m$ O9 g2 U/ J# Q% R. [
Note as well that you can easily detect this method with SoftICE:
1 i; d7 D5 _7 x: [ bpx Get_DDB if ax==0202 || ax==7a5fh5 O/ B0 y; n7 a8 h
* ]4 r# [, q; l7 K' K/ q; P, K
__________________________________________________________________________& a$ G. ]8 }- E0 C( g7 {& a
& \, Z5 R' @- G2 s% B, b
Method 105 O. p2 U4 o C0 w( [
=========
3 z. e$ P( o2 |9 V+ e: D2 @5 p# l$ L* Y' G; |+ T# F" F( B$ Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ f) T2 I8 S, k5 _; E9 q. ] SoftICE while the option is enable!!
; x* T- X m+ ~, ]( }" u7 V4 R" n5 i. j
This trick is very efficient:
- @0 K" L! W# f% c5 Gby checking the Debug Registers, you can detect if SoftICE is loaded
G) Q ^/ p& W4 C: N9 }- c U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! b5 |6 v( r: g5 M# lthere are some memory breakpoints set (dr0 to dr3) simply by reading their" Z h; M* N/ _) i! L
value (in ring0 only). Values can be manipulated and or changed as well
6 o: M& u& B5 \/ n$ B, J0 L! t, @(clearing BPMs for instance)! c, V# J8 X j5 A% g+ |5 e
" i% B2 O0 h# w9 f2 Z# P
__________________________________________________________________________' T: D2 g5 k' @7 U
- Z/ H! B T6 E5 sMethod 11
5 m/ K/ a, G9 m4 d4 c% n7 ~=========
7 I4 e. `: R5 q" P% C# Y4 d" d0 g/ a# E) l
This method is most known as 'MeltICE' because it has been freely distributed
* X) R0 p0 p0 k6 @via www.winfiles.com. However it was first used by NuMega people to allow! b+ x$ b( v( ^) B
Symbol Loader to check if SoftICE was active or not (the code is located8 p9 X6 S' g- P) T* N
inside nmtrans.dll).) H/ j' ^; C) R# q
' U0 ]2 X6 g9 S, J* w- {) t; @The way it works is very simple:( ?6 L1 w2 c4 ^' H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 u8 @+ g6 m/ c' fWinNT) with the CreateFileA API.
# t+ Q+ w! g& |8 B+ @/ d9 b% @) a4 _6 B7 T! v: @
Here is a sample (checking for 'SICE'):' H6 w. g* {# j8 b2 U
' q% Y2 {4 f, u. d6 N! T- KBOOL IsSoftIce95Loaded()
4 o% p* ?! g; J. e) v/ n& U3 M{
+ o4 k" X: Z. J: P6 y HANDLE hFile; s) O7 w4 b7 D8 v* d$ M/ u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, l" P$ C/ j# k) }5 n# v
FILE_SHARE_READ | FILE_SHARE_WRITE,0 O7 Y$ }" _( U( r& p& ^! f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 K5 N S$ s* S i" E# f if( hFile != INVALID_HANDLE_VALUE )/ h3 D4 `+ f& b6 P4 [5 }2 J. ?
{
& G' q# }6 P/ ?+ o0 M$ `" d CloseHandle(hFile);( Y( `8 x+ Z% L9 `7 S% Z
return TRUE;
7 W8 v {" p* A3 o/ Z }, |! X2 u2 ^8 ~$ p c/ u) B
return FALSE;
4 R" E6 n: z; L9 o}
' P9 G( ?2 q6 {7 e& y9 G7 t+ h9 o# ?2 _
Although this trick calls the CreateFileA function, don't even expect to be
/ L( E7 F, L! v: Z% n" t! \% qable to intercept it by installing a IFS hook: it will not work, no way!& r ~; j% }3 M# r: e; i2 ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: Z# z0 @: w! e) Y8 }8 }- e$ U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 n# S# }" U! @; {) f& w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# l, q/ ?9 Y% T3 F$ i* F8 \ \. zfield.5 c4 h( U/ g& F L) [
In fact, its purpose is not to load/unload VxDs but only to send a
+ B& x! `# e8 S9 {$ E; R2 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% W* E* ?( K2 @3 z( I- Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 n5 b. C& w" M' Y9 ?1 p
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- ?3 _& X: c* Z+ P T, G+ O9 @0 w1 X
If the VxD is loaded, it will always clear eax and the Carry flag to allow: C' O. B( B2 d" d. j
its handle to be opened and then, will be detected.
' N/ B+ |, C2 ]5 W% BYou can check that simply by hooking Winice.exe control proc entry point$ _9 X8 ?4 a# d+ Y8 _8 I
while running MeltICE.- T6 ?* ~- x3 Q* L1 S
$ R9 E0 G/ v5 B+ s4 `! H+ [% O) J( M- }7 L! m
00401067: push 00402025 ; \\.\SICE9 H5 A `" ]) S! @, W ^
0040106C: call CreateFileA
; l" \6 f% @- j3 A: G2 |9 ~ 00401071: cmp eax,-001& d+ s9 I6 W3 U$ x' M* |/ o
00401074: je 00401091* }" \7 K" d# J6 [+ n4 a% P' O
! x: u( U0 K8 |, R, Q4 d2 ]/ {
/ j g5 r! @7 n- x; v( ?, R- sThere could be hundreds of BPX you could use to detect this trick.
0 o3 m! D+ E: P T! }+ s1 s-The most classical one is:
4 \, ?/ I( ~' u9 E- @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' i! b- D$ J& O. p4 k# r- f *(esp->4+4)=='NTIC'
. x/ y; C$ F! |3 B) h" K1 u3 Q" M+ C% k+ G2 K: o2 t
-The most exotic ones (could be very slooooow :-(( E4 J6 c& ~( j- s' ^
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') s1 E! f+ a7 E8 l
;will break 3 times :-(
, \0 o+ P, o* I* ~7 r* l! g( e5 Z+ D9 d( V
-or (a bit) faster:
7 S ~$ e$ _4 |4 _4 [# ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- i) `( R; a1 @2 I
/ I: C) X. }! P8 u1 d7 E+ _! ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 O7 k6 ^/ m" s' e3 W
;will break 3 times :-(
8 X3 v& d9 q% n+ {
; ?7 k$ G# r0 g" e. A-Much faster:
$ j1 ]; F) Y) \7 g% h2 f. E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') a4 U" U2 q+ u) J5 j
5 [, ~% o2 s$ _& N; I7 ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 L% e. z: l# D; V; [0 `$ i
function to do the same job:
8 ?/ Z$ g) e% {/ O7 I d. V2 {9 R) m& x
push 00 ; OF_READ6 k8 z; w; Y& j' n# v0 m
mov eax,[00656634] ; '\\.\SICE',0" ^1 j' J Q+ T F" X' B+ w9 D
push eax, E8 F, x$ `: b$ o8 P/ S
call KERNEL32!_lopen
" M# I0 z' n' m, t inc eax
# z) e+ G7 ^! Y+ q9 E7 r jnz 00650589 ; detected7 M) h" ~+ {+ T- F0 @. @
push 00 ; OF_READ
+ b) j/ D- t% S) V' Q$ Z2 a mov eax,[00656638] ; '\\.\SICE'
' C0 i2 V; l3 Q& w" P5 U r) T push eax; a$ ]7 w3 r- m$ F8 C8 ?" L
call KERNEL32!_lopen3 W/ z# F$ t0 @
inc eax, W$ Z0 {1 r8 W5 C' ?/ _* h8 g
jz 006505ae ; not detected& h8 J$ N# z* q1 O, Q# m
' @% ?4 t8 _) l s8 ?
# {% U+ W# k4 j$ l__________________________________________________________________________
& @8 h* L& } f" S3 v; f0 @
, |; q2 M; ^' \$ `7 gMethod 120 @9 Y6 j& D, N3 g I* `+ `' E: B" L
=========1 y! m2 u. t9 `- W6 F& B: U
% p0 M8 ?6 T: e5 G5 z+ xThis trick is similar to int41h/4fh Debugger installation check (code 05" b: z3 e9 A+ z! `, v
& 06) but very limited because it's only available for Win95/98 (not NT): H/ t L& ~9 [0 H& j" w9 m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 X1 J# a7 [5 n3 r4 k% \ d* M
1 F# w. |% Z8 r$ j push 0000004fh ; function 4fh+ g# W8 k8 B5 F5 g( I" Y' n
push 002a002ah ; high word specifies which VxD (VWIN32)( P3 x' C% v. G2 _
; low word specifies which service9 N m, R% X1 ^4 U% @$ z
(VWIN32_Int41Dispatch)
, n/ b+ Q+ u4 r3 G. H0 S3 V call Kernel32!ORD_001 ; VxdCall
5 j$ p5 [. l& S cmp ax, 0f386h ; magic number returned by system debuggers9 K6 V- W$ t2 W8 z$ W% G j `) P- u
jz SoftICE_detected* U# K7 Y6 E) r# ~5 ?) }# `
, R: ^) ^# ~$ |2 n+ ?9 J4 r. x
Here again, several ways to detect it: [2 S; `# N Q+ I8 x
5 K* S: f4 k+ O5 ? BPINT 41 if ax==4f
1 E" H; E( M* S# T
! J/ B- V' `: x4 Q# J0 ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 s2 z: b7 \6 U# [4 j
6 |8 Q2 g4 L' L! s' o7 P, l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 i3 h, g: J; X& J2 E7 }9 l( k2 X
) V8 @$ z' C+ `$ x8 H# K Y9 M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 w) `4 @2 N5 t+ _# B2 H. r
# q1 P7 G: P: e# d( @7 [+ e$ S__________________________________________________________________________
" j5 U: O+ p J: Z
% b8 ?6 F: }/ O/ U4 H5 y7 hMethod 13
1 N j# F# k' `+ z X! @9 V=========7 P: C3 o" S6 r) j( {* a) e
7 G* C& T, _; s5 ?Not a real method of detection, but a good way to know if SoftICE is6 n% v" i7 p; w$ t
installed on a computer and to locate its installation directory.. Q) j5 E' _4 }: W
It is used by few softs which access the following registry keys (usually #2) :; z% e6 j3 L1 q8 i" X
8 g h! Z5 A4 y+ U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
b* R! v2 F% [0 z2 a- Q\Uninstall\SoftICE
1 h% h. G0 O) C- n; q# X-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 T2 x7 l$ e7 f8 f z4 ^6 J& r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. e' j) X5 I' o6 y
\App Paths\Loader32.Exe
. v! p& ^# r- n
( c) _% V$ t& z2 ]- m) h& X. }- y+ r' g3 @) n9 L, y
Note that some nasty apps could then erase all files from SoftICE directory3 ^" N9 A. a$ l
(I faced that once :-(
G; S C) h; {+ @9 i9 C
- D y2 H2 O7 XUseful breakpoint to detect it:
9 O$ v# k, e5 B. l. r' `$ s, d+ ?
) i7 t: d5 Q9 {' {/ C3 T6 U3 A BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* ^: ~7 Z. N& A# ]# o' k
+ S4 N8 Y0 H: a
__________________________________________________________________________
% R i2 d* m) }, K! M6 o; m+ z- Z' R1 P( U& G# p5 Z" L5 x
$ ?5 p& Q' k1 E
Method 14 ( Y3 B. l" P% y
=========1 v8 }. d, C' n$ R" c3 y" `& S. U
7 T) c) L: D- ^' |0 |1 u# j0 Z6 A# T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' Y. ^: ~- s$ C; g9 vis to determines whether a debugger is running on your system (ring0 only).) O" o: f/ b7 ]
# S* p7 D6 i$ d8 `1 J9 r0 Q
VMMCall Test_Debug_Installed$ L5 R; m. I6 P4 Z8 c; U. L
je not_installed
1 s: c( \- t. B* l B$ V9 A: `8 _/ _0 @ D( v- B. m4 Y/ r
This service just checks a flag.; ?. Y7 E" a. }: A+ @ y1 ?7 B+ K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡