<TABLE width=500>
. B# h- \9 p; s# q1 z+ m<TBODY>
2 O" s' z/ v% S2 i! }, j% F3 [<TR>
. E% Q- B: }& V<TD><PRE>Method 01 # w/ \" O8 o( i0 ]6 p2 \* u! P0 }
=========
# r4 q" p# y- g$ Q2 H+ H n3 M/ D, u
This method of detection of SoftICE (as well as the following one) is2 s8 }& Z1 X$ L3 o
used by the majority of packers/encryptors found on Internet.
2 `6 J/ j7 ?( M3 I8 F5 IIt seeks the signature of BoundsChecker in SoftICE5 k1 Y$ ]) E* d: M' \
i: q" W0 ?& E: e. J Y
mov ebp, 04243484Bh ; 'BCHK'( e' q% k* e- o; _/ O
mov ax, 04h0 a5 I2 y/ O) f( O2 ?* q7 c, {
int 3 % A2 Y& h+ \+ A! v! L0 G3 i1 i4 s
cmp al,4
3 F. |" J6 j1 s jnz SoftICE_Detected; s& ~+ C7 i3 e! b! e3 T
8 M1 A% n! c) P& k- }5 n___________________________________________________________________________) {! _1 t5 S- F: m& g6 O; ~$ R& d
& [. |/ f3 J0 _: D$ \$ F; a
Method 02
- @7 N8 s, p# J=========
, S0 \9 `/ w: ` u7 U8 d x# V( W7 W/ B0 q8 s7 |
Still a method very much used (perhaps the most frequent one). It is used
6 n# M4 D" g. _" _% A. Z6 gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 t4 g- L% [8 v+ Q$ q9 k0 g
or execute SoftICE commands...
1 h7 c* w5 a) v5 {5 EIt is also used to crash SoftICE and to force it to execute any commands
?+ P B4 {/ P- l( u(HBOOT...) :-((
& h. ~$ {8 g. n; L( Y
' q' ~0 E$ e( S# E! D6 b3 aHere is a quick description:
3 K# e$ @8 m: t I- C+ F-AX = 0910h (Display string in SIce windows)
% j' c% y4 T( S+ ]2 p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( }6 }' {* c" M' N9 M-AX = 0912h (Get breakpoint infos)& x5 I7 S/ B7 \: B6 O
-AX = 0913h (Set Sice breakpoints)
. s2 x7 L7 X- ?3 M A- a K& B# A-AX = 0914h (Remove SIce breakoints)/ }2 A1 L: r+ c: b8 M" ^3 }
' X$ O! T% N7 ]& c3 vEach time you'll meet this trick, you'll see:
* \8 O8 g- i- ^! k B5 N# d" Q-SI = 4647h/ b2 I* i- {7 F7 a* c) |; r8 z
-DI = 4A4Dh& t+ l; }9 P9 \2 B
Which are the 'magic values' used by SoftIce.
$ ^0 M* _+ b+ X) a: PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ m* x( U+ C( x& @# P; q4 b
. V/ u5 R& t8 q- ^4 j' q
Here is one example from the file "Haspinst.exe" which is the dongle HASP, h4 V2 X% D! M: U
Envelope utility use to protect DOS applications:" J' N- e$ |/ o, v, b
9 V3 Z- ^) _7 M8 }/ ^
* @" I! X2 a/ O' w; B9 p1 u4C19:0095 MOV AX,0911 ; execute command.9 Q' v- p+ k0 m# `4 |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. y+ ~2 w# O) l [- O% d4C19:009A MOV SI,4647 ; 1st magic value.$ _- C6 b9 `+ \' j1 d
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ Y8 O! z6 M6 g" t1 X4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) ]# S* M F% ?) x' o& a5 \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ y6 W4 n4 n4 i8 X0 _) H4C19:00A4 INC CX
7 t4 ~$ g; Y' }5 t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) G2 a1 A2 ]; _3 k: C" s3 O6 {, G
4C19:00A8 JB 0095 ; 6 different commands.. Y) V5 H% r0 I% T" ^7 e7 c! q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 w8 J% s _1 D' b K+ z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& C+ n' k3 d2 U2 P! y7 h }4 r) ^! d4 [8 g2 L# ]6 a
The program will execute 6 different SIce commands located at ds:dx, which9 O! i) J: y& k/ Z; p6 w5 [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% M3 [0 V1 t& `$ N4 \& X6 C- d) t+ K3 x: _% \( ^7 [/ `. E9 K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ a: L6 j3 @, W% ^: K___________________________________________________________________________! [$ Z0 j* |8 Q {2 S$ o7 e
' B2 x8 G( U; q: x, U) A" j3 A' K, M. q# \
Method 030 S6 T8 W0 l9 U6 M$ `7 e
=========! r5 S3 A0 I' l- q( ~7 ~# I
A. X5 U9 V" W% W" D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* Z" R$ E( [2 Z8 T9 l7 `# N; D(API Get entry point)
: ?) E, k; h# ^ 5 w/ R5 u- Z$ p0 k% q- Y. B
% W# ~( f# }% s- z
xor di,di
! j; e6 ?# F. z# b5 N. J7 F mov es,di
; f0 J! z/ r9 q mov ax, 1684h 2 Q- t n7 G& e6 F: K) Q
mov bx, 0202h ; VxD ID of winice& E0 d" v M* \
int 2Fh) U5 k% _ g( `8 ~' K
mov ax, es ; ES:DI -> VxD API entry point
4 H- i0 s% q1 `( |8 o! Q. S" d0 ^ add ax, di
! G( ?1 c9 @6 e test ax,ax# Q6 {2 _. {9 ]- c6 u
jnz SoftICE_Detected2 F: Z! V/ R0 h$ I6 b# d8 Z
- T- R+ u6 T; u, \+ J, e- J" N
___________________________________________________________________________$ m' g$ _3 x. Z5 y+ F. G& J
" s5 ?" Y5 O0 a* x& v+ C7 X! i
Method 04
) t, _% a& |) G9 M5 W/ N9 Z3 [+ b=========4 z; q* e- l# U2 F1 w) g
. k( K8 t3 n2 ^$ f3 ~1 W* J9 YMethod identical to the preceding one except that it seeks the ID of SoftICE
& u. m8 _7 n4 K6 |( q) YGFX VxD.! S3 t! r: I: q
7 ?( \' x% \* t9 l2 W; K5 g8 h xor di,di
2 N: I# o/ P( n: i N mov es,di1 L+ Z. y X2 g; w* l/ p3 D
mov ax, 1684h
; @, f9 S, {. Z$ M* {" ~7 i mov bx, 7a5Fh ; VxD ID of SIWVID. X! o) W9 L. _. |4 V/ T1 Q* N- r
int 2fh- _2 w3 {( l: M
mov ax, es ; ES:DI -> VxD API entry point5 \! O* y, D7 x7 V. F6 S3 X
add ax, di# e0 `! |$ y( C9 n' z! b
test ax,ax0 x: C0 Y2 n% X3 V, J9 ]
jnz SoftICE_Detected
1 x: }$ @# \8 Z& x% q
6 x; b3 B! @4 u7 C+ X__________________________________________________________________________
, l& F5 ~" a: |1 h' [$ l1 ` b3 G9 g" M3 h/ B- g
3 A3 h( g% J1 M5 S9 X
Method 05/ L& b# f* x' l
=========4 C5 _: P+ t0 E H3 u* V; y8 l) V
W2 ` W) {6 R7 d+ L" U2 \
Method seeking the 'magic number' 0F386h returned (in ax) by all system( a- L8 ]! O5 L# I1 B
debugger. It calls the int 41h, function 4Fh.3 Y' ~0 n6 q$ l' p: x' Y& K6 j$ D, M
There are several alternatives.
( B/ c$ g9 O' l' \. p8 ]- u6 o; X
$ q( T D$ [6 s) h3 g2 nThe following one is the simplest:
9 H/ u! C' W- N2 b
t0 u M3 Y* _/ @ mov ax,4fh
4 o: K: p+ C* k int 41h
2 f4 W, ]. @ h cmp ax, 0F386. V2 D7 x/ B. p! g) _% g
jz SoftICE_detected! D( D+ j) G- u4 [
8 I3 W! j: X. Z! ^* l7 g
' @; _; A& O: m3 z* pNext method as well as the following one are 2 examples from Stone's " _# k2 v# l) k( w* d/ d8 [. |% I
"stn-wid.zip" (www.cracking.net):
+ Z" q; ?9 \$ [* }7 _8 s1 u1 M
( V0 Y. h/ v2 b" V' `/ ^/ U mov bx, cs
* j' l, I" n2 e# N; G lea dx, int41handler2. s+ `/ N$ e7 R, n. ^
xchg dx, es:[41h*4]
9 u1 Z9 z" W8 |9 Q' n) B xchg bx, es:[41h*4+2]
; o; s% c; G# }# v mov ax,4fh
, q$ x* v8 l; A% s' ]; p% q0 m; ~ int 41h7 F& \2 M. J( L
xchg dx, es:[41h*4]
: c/ x# P; U; a! F! c* v xchg bx, es:[41h*4+2]% F: g& k5 x' ^8 Q
cmp ax, 0f386h
: n$ E+ G7 D* G. ^/ [ jz SoftICE_detected( v$ t8 z2 S. Y( k0 Z
" W9 c+ r# `) B0 _8 bint41handler2 PROC4 D N. _6 I3 c; Z# |$ |4 ^, D
iret" L0 h$ ~5 J# Y2 K# u# E H! G
int41handler2 ENDP
5 Q2 K/ O8 L0 O* z7 H9 |- O( B9 F) V) D- ~' w5 u, J$ ~
' ]; p' t- W% Q; q7 i- s_________________________________________________________________________
; j+ ^/ {7 Q6 Y; q$ F. U9 \$ w- M1 X7 u" _
+ T8 t7 S- }7 K7 F4 ~ o6 Z
Method 06- M9 E! p3 B( b( A8 [
=========
& T# { p2 A0 r0 U5 q7 E% S" O. [0 n& S2 S7 Z" D3 f
$ }) Z: N3 d0 ?# X( v
2nd method similar to the preceding one but more difficult to detect:9 c6 |7 b$ w8 b: s3 e
; w/ F/ d# L' x" n$ I2 M0 j
, d" U9 O% k& _1 E' Bint41handler PROC3 p$ W! G0 {7 t% P" t1 p5 Q
mov cl,al6 i, q' [/ i/ ]: s9 H
iret
$ w3 P$ O/ K2 aint41handler ENDP
) X! K) ^$ t8 ^. P Y! F/ K! q1 ]2 T( K
0 W+ d' t% K7 r
xor ax,ax
5 M$ [8 \& w0 r% A+ o; k mov es,ax) V* @6 E/ k- n8 y
mov bx, cs
- Q# T. S: U: Q' C lea dx, int41handler9 O, r; @# a9 O* o
xchg dx, es:[41h*4], V. Q7 k7 v+ J4 i. n! i- ^; [
xchg bx, es:[41h*4+2]$ \4 q9 L3 P3 I+ G
in al, 40h1 n7 n7 K$ R3 n( T4 P
xor cx,cx
, ]$ h5 {) Z$ \- U: E0 q/ t int 41h9 U* I ~& N- _8 L2 m& p! x
xchg dx, es:[41h*4]5 g* o- @# i+ w
xchg bx, es:[41h*4+2]
1 g0 M8 \1 O' o0 K& I cmp cl,al( Y7 _, I8 p0 t) b3 K
jnz SoftICE_detected
# f ]7 P8 K' i% e6 N5 g/ K0 E4 C0 X
_________________________________________________________________________7 o5 c4 @9 S/ l6 ]' i
' Q; k2 |" O p& ]( E) E
Method 078 l4 ~3 g0 V" k
=========, I4 M9 [% ^$ Z( A1 ]! L+ o" u
# {& l' l4 @2 R
Method of detection of the WinICE handler in the int68h (V86)
7 e4 ^9 T9 |) _- G* T' K$ T$ s' {4 y
, g2 y+ ~4 E! ?# y! }. F mov ah,43h! F7 |! |; E3 E2 A8 L0 n* g
int 68h
; }7 n f5 E# S/ F1 {5 C& ] cmp ax,0F386h
5 ]/ e* ^' V/ @0 N) [& o9 d: k S* H jz SoftICE_Detected
# U2 v% _, h( T& ?& E( j$ N- U6 K/ a1 K5 |
% `) H. S5 u# ?2 L2 E) x
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 }1 J7 h% X8 y7 a/ K; g9 J
app like this:/ o9 @- c0 n3 j
- s" z! C- F/ v( M. |. U$ y* {9 F BPX exec_int if ax==68 I5 k l3 v2 g- Q/ _, H9 i# H
(function called is located at byte ptr [ebp+1Dh] and client eip is" l9 j, M/ e: H6 ]6 o
located at [ebp+48h] for 32Bit apps)
+ r }4 S6 W0 f+ j& k6 i% T" U__________________________________________________________________________$ F1 K2 I3 v4 P3 Y' o
; \1 J$ v( {$ q% I
% X/ y2 s$ p/ H
Method 08. x0 R# h& |) T' v2 w+ t/ H- o
=========
% i8 J, U" }% E& f; P+ s6 N4 N% N: a1 ]' S# d' s7 ]# f1 j
It is not a method of detection of SoftICE but a possibility to crash the
2 h1 A3 a" h2 R, g; D1 x8 hsystem by intercepting int 01h and int 03h and redirecting them to another$ x G! |. D+ B9 h9 o* S o5 m, t
routine.* o* B# O: K9 Z7 c3 `7 Y! y' L4 N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- Y# B$ q$ \& n, [6 I$ B( o
to the new routine to execute (hangs computer...)% k, E# W. E3 b) B
- k- L0 t7 y a, e5 u mov ah, 25h
v" S3 m7 r. u& o mov al, Int_Number (01h or 03h)7 s/ ]8 [$ I, H
mov dx, offset New_Int_Routine# n, @4 a; B1 x" K' p
int 21h5 \7 ?$ ?0 v' Y3 J% Z- `
* p1 C+ ]: ~$ X5 S6 D, v
__________________________________________________________________________
( ?0 \* q, I1 r
2 R6 W2 c* a: `! _+ n" tMethod 09' N' |( H |# P* y1 H, u
=========
6 D, a) d5 k( _6 d- n& K8 Z$ ^) P, z3 C3 @9 N5 w; V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 }) i$ |7 r+ o/ [% _8 Z6 l! H
performed in ring0 (VxD or a ring3 app using the VxdCall).0 g4 K9 `, c% T
The Get_DDB service is used to determine whether or not a VxD is installed
$ n* C/ ]+ @- e5 y; _0 ]for the specified device and returns a Device Description Block (in ecx) for
- Z$ y4 D/ i" D. Kthat device if it is installed. F) Y7 R) o" \
/ m7 t5 ~6 `, M- n0 A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 Q# g2 f/ [6 V; J8 g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) ]! ]* N1 \, G* K
VMMCall Get_DDB
3 ~7 u) |8 d% C+ M0 Q. O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, Z- Q) ?* ?7 H+ n
6 ~4 }$ n; i& DNote as well that you can easily detect this method with SoftICE:5 ]# B2 N1 I* T
bpx Get_DDB if ax==0202 || ax==7a5fh9 E+ ~2 Z6 Y8 v4 G
' a8 l+ d# S, T- y__________________________________________________________________________
7 L) @7 u% |$ e$ e4 T% W. U) u4 E" x ~2 t7 P9 v* F
Method 10
4 e; A2 Q, n+ L+ ]4 R=========
: c& b( F2 ]; }2 Y; m. ]: C+ n" R# F6 L3 j9 E2 j0 B# ]4 x/ ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 d. f* X* g8 z8 Q1 H+ ^. D1 Z0 Q; Z SoftICE while the option is enable!!
1 R8 r7 U. d! V1 M/ e3 J3 u$ ^2 u+ O4 [+ p
This trick is very efficient:6 n* `: e9 `5 T$ |& m: |
by checking the Debug Registers, you can detect if SoftICE is loaded+ H& `% P2 T& V( Y! F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 E8 ]" t, B6 L( dthere are some memory breakpoints set (dr0 to dr3) simply by reading their' g4 x1 ^6 ?) z" k+ q8 ]) | L
value (in ring0 only). Values can be manipulated and or changed as well2 g: M. f2 U# U# U
(clearing BPMs for instance)
. a* a% J T+ W" c# J& K) c: }) V) E
__________________________________________________________________________# Y4 _% d6 S0 |6 e: Q7 s+ ~1 x
4 Z( T8 n( `* f" R/ ?. m e
Method 11
9 v% \" G4 c. C& E0 d0 e# J8 K2 A=========$ Z* w$ ~0 t' A+ i
* U5 O: g4 ?, p4 \1 U$ eThis method is most known as 'MeltICE' because it has been freely distributed% A/ s* p( }5 r. |: e5 h2 x7 x
via www.winfiles.com. However it was first used by NuMega people to allow
. B1 V5 l D' GSymbol Loader to check if SoftICE was active or not (the code is located
6 }) s. f( H0 I3 Y7 Qinside nmtrans.dll).1 t4 N/ X; s3 I W$ b. e- U3 e
1 \; C( t# L; o8 l0 l% \; B
The way it works is very simple:
% a) s" _- C u4 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 d* v; I' m( u2 YWinNT) with the CreateFileA API.
8 j0 D6 \, D" ~' h- E% l: r' A. O8 _' r
Here is a sample (checking for 'SICE'):
7 x6 ]0 z- M1 R: {1 u0 p- j
/ C+ \* P' j2 }/ c) B" eBOOL IsSoftIce95Loaded(): d4 j3 ?# ^ _. b8 P; v) C0 O% B% I
{
- ?# b* u% v3 u0 [/ B6 s' |4 u2 D HANDLE hFile;
7 r5 g9 i9 T/ W% K$ V& y4 O j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' o% l1 W ]/ |" F: B% P
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 T0 G4 t' {9 ?& s; X7 w8 z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: a) t2 E/ g, K) f( o
if( hFile != INVALID_HANDLE_VALUE )
# n9 p: U/ H! g4 k) g' F& d {
3 i" I- C! s8 L9 {! G CloseHandle(hFile);
, K! L* W% T# z/ e" w% o3 b return TRUE;( T0 n# g0 j/ _( o
}7 Y# c0 q2 k# e: E% N _5 G. [
return FALSE;
8 f z% C9 K; D) G}
- D& W- s/ e: N$ h5 G! E4 h" J0 I7 F. J
Although this trick calls the CreateFileA function, don't even expect to be, ?0 w0 _/ a4 C# Z, f; S4 y
able to intercept it by installing a IFS hook: it will not work, no way!
. }3 d, ^( P8 N: HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# w8 ^' P6 Y& t+ G7 L. Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; B# U* t/ F1 S# jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 n: V3 l% E" h3 l' V- M7 Bfield.
1 Q/ s# T# `# ^0 i7 V2 o0 nIn fact, its purpose is not to load/unload VxDs but only to send a
3 ?: @1 ^5 {0 q! M5 A# \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ `5 S" L g- J, }) w6 qto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 j' f6 I! x6 m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% c! V. u, I6 p5 S8 |If the VxD is loaded, it will always clear eax and the Carry flag to allow
4 t7 T! L" ~$ v4 u9 R" F; Qits handle to be opened and then, will be detected.# |! I6 E2 Z% M# h
You can check that simply by hooking Winice.exe control proc entry point: _5 R( a5 g3 B$ W; c
while running MeltICE., P4 g( K; E+ }7 d U' v1 R$ \6 q, @
( J* x! k4 F. z k
8 e2 R9 g5 E1 \( G
00401067: push 00402025 ; \\.\SICE9 q; @) Q+ }, q1 h2 j7 l+ E0 O
0040106C: call CreateFileA
' ~% M, W: |/ N8 t6 r 00401071: cmp eax,-001
- o- g1 ]; V+ l6 {$ J 00401074: je 00401091
8 g7 w! ]9 Q" h' i: X1 ^+ i6 O& W( i+ A3 x/ K6 z' s* K
) Q: S: a& v+ E I N, c" [
There could be hundreds of BPX you could use to detect this trick.. ~0 M& w! }( @3 S; S
-The most classical one is:
9 r k" P" n7 ?! M BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ d0 V* C" g, t0 M1 U; Q
*(esp->4+4)=='NTIC'9 z9 E( c! }( a& T7 a' t. ~( z. R1 L" H
( u8 }/ _9 a$ X, [ O- x-The most exotic ones (could be very slooooow :-(
4 U* t. H/ b' e) F: G U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 h" W$ q0 b: o' r: [% E( Z ;will break 3 times :-(
6 p; F9 h9 G8 B# E% p [* M& N3 J) ~5 G5 C7 m
-or (a bit) faster: 4 c9 |/ f7 F, t: m7 T
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% J9 ~ L) H/ Q
; h. Y* Z. d8 i BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( F5 n+ B- g+ m( g1 P& h ;will break 3 times :-(8 q# @2 Q, s6 h5 @& U
: G6 S8 _' A1 G0 m) Y-Much faster:
2 ]8 `9 ]1 I- [" Z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" H9 I- k( h7 B9 k6 J8 U3 S, o2 p9 p; Y k5 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% E% v8 ~# o2 j' r# d
function to do the same job:! Z/ }: b! x/ Z
# U5 o# J& B. t5 |- R
push 00 ; OF_READ0 K. l* U& B+ c
mov eax,[00656634] ; '\\.\SICE',0
9 r$ J# Z5 E, d push eax; t" \1 G, c1 i5 F3 Z9 B
call KERNEL32!_lopen) l+ A+ a. A @- V7 a" A1 S R" T: i
inc eax$ f3 ^; I+ O$ f; n
jnz 00650589 ; detected( r5 p$ a2 L) h9 [* Z; }
push 00 ; OF_READ
$ S) Z# e% a& f: g, Z mov eax,[00656638] ; '\\.\SICE'
& R% L; @4 Q) p/ n' u push eax
2 D& K& G8 z: ^ call KERNEL32!_lopen; \# ~9 q! @3 f
inc eax
; m% M& t$ Z0 l7 `' c d) N jz 006505ae ; not detected
+ C6 F- N( Y- T3 j: f# J4 t0 u* }
4 p. F; \8 m b- C9 l3 N( E5 H
__________________________________________________________________________
' u/ K0 z+ W& i6 i& r) t8 v9 s% m
; Z& t9 p+ U# a6 ?Method 12$ }+ X/ ?6 B- _7 _' u k- \+ W
=========" Q6 T8 o$ L/ f9 R7 [
7 Y9 g7 Z5 t1 n# R8 W- HThis trick is similar to int41h/4fh Debugger installation check (code 059 L- l1 A3 n; U8 L7 R
& 06) but very limited because it's only available for Win95/98 (not NT) f' U' g( |' {9 T* b9 l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# t( J4 ^' E }5 G0 G( }8 T# p* S# H9 q% {
push 0000004fh ; function 4fh2 y! C" T/ |4 b9 z! I
push 002a002ah ; high word specifies which VxD (VWIN32)2 ?/ {" h, s( h9 S; n c) v: C
; low word specifies which service2 L% c0 m) j9 f/ k0 m
(VWIN32_Int41Dispatch); [! u S( K2 Y# O9 s/ D
call Kernel32!ORD_001 ; VxdCall; e4 K# | R& [3 A* N
cmp ax, 0f386h ; magic number returned by system debuggers: B' @2 v' r" r/ x6 M' S
jz SoftICE_detected4 d8 g% `: j4 W4 e. P% r" J! o
2 W: p: J' u3 {- Y" YHere again, several ways to detect it:- ^1 I9 Y& T# R& Y: _
( x6 Q; _ a [0 n" [" |
BPINT 41 if ax==4f" Y6 }! x- o! M* ^
6 c d. P+ \& ? d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
b) q! s1 S+ Y) d
( G4 N+ ~# V4 h9 a" ~2 ? t9 ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 G3 A1 z2 ?! T! m# |( K+ u
+ t/ k! S9 i4 }, b" p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' G0 ?9 X# z, P1 Z; y/ Y
v2 ^6 q$ ]' t E) ^5 O__________________________________________________________________________/ h* i: _4 p; \6 _ t* Z
& x/ K! d5 p9 C" r; B/ hMethod 13; m2 D" a: G, E3 w/ j
=========
4 C& q/ d2 {8 w; l* a s
' k) L) h8 ^ e* B) |& `Not a real method of detection, but a good way to know if SoftICE is
) ^0 k! z p6 g1 J9 w: \installed on a computer and to locate its installation directory.
$ s1 E0 _( i2 rIt is used by few softs which access the following registry keys (usually #2) :* `8 c! z* f6 E: H7 y5 X
9 S9 W$ ~3 S6 ]3 v- `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# x- s' H- l0 a. t; Z z. E4 o
\Uninstall\SoftICE- s. X v8 \6 O2 y7 t- ]) x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) \$ d) P- o) O6 k, S* O% l: w$ w) ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, x) \ M% o) D% i* A2 G\App Paths\Loader32.Exe+ a6 K1 q- ?# k+ B) J
! o/ f; c% g+ p% U: r* R0 c
7 Z. Y1 b1 b6 C
Note that some nasty apps could then erase all files from SoftICE directory
( f& ]4 P6 K B/ c(I faced that once :-(+ ]; R9 J! @0 v4 ~, Q
+ z1 l# x2 h* Y# IUseful breakpoint to detect it:& Z# ^1 {9 D8 I" X; |
d. W5 u+ j+ A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. L' L/ H3 {2 G/ p8 l
5 O8 T. x) a1 r5 |( B+ W__________________________________________________________________________4 X0 i. ?( U% t& h7 H
$ r; [, V4 o# g5 U }
/ \' s5 O1 A7 n9 z' q1 \5 hMethod 14 ) [3 W% x1 V k% X- X
=========, p' x; { M) {- D) D" e
! y# ~* Q- ~1 r2 o6 @- G. vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ p- I$ w9 ]$ C+ R1 x3 Bis to determines whether a debugger is running on your system (ring0 only).3 u% l' [; n2 Z- C# O2 L% z
2 W9 }: j# j$ A" Y. ~ VMMCall Test_Debug_Installed
8 o7 g& R0 }8 N0 {5 H( S: ?! z je not_installed
! H# x4 O& E7 U" n; u2 r- y- Q$ |8 z, Z4 {4 B" k. {
This service just checks a flag.4 f3 x. ]& U8 l
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡