<TABLE width=500>
& |5 m( h- k" w& y<TBODY>
1 S, W- P0 Z a J9 W<TR>
" d' H \* w' T; U1 z<TD><PRE>Method 01 9 V: O" S. M" G# [
=========
, w; Q/ C7 [5 E- D& b/ ^
, J: q, r8 h, E7 h( `: S. n( Q! EThis method of detection of SoftICE (as well as the following one) is
$ a/ x" M: w6 h X- Qused by the majority of packers/encryptors found on Internet.9 I- a8 g8 s7 z: `) o/ d: ?$ P
It seeks the signature of BoundsChecker in SoftICE: X# e/ F9 `* ~" [: N
+ u9 T4 M. o- x5 i3 T
mov ebp, 04243484Bh ; 'BCHK'# t; r' O4 z+ s3 V( W1 w S
mov ax, 04h
6 r- u4 T' S. T: A! L$ a int 3
: `$ I5 I, Y% X) A4 s1 \- a cmp al,4
" r7 H) x$ S7 ^. o. a0 C jnz SoftICE_Detected% ~/ \( V* o% @2 v5 ~
- ^! ~0 P- B; n9 U+ h
___________________________________________________________________________( R; M" G3 B2 w5 S6 S: V
8 j% W1 |) _ k: I+ f1 ^( iMethod 02; }8 P) }9 J6 s8 B% ~' z0 W$ o; I
=========
) j- V2 p) r: g9 @8 ?' y) }& r% E! y7 C! s3 y: W& n8 u% ?
Still a method very much used (perhaps the most frequent one). It is used% u5 ^6 G( u" E* v4 t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: ` _: u% V1 O7 q6 G; sor execute SoftICE commands...
0 |5 a2 S( v+ w9 \7 @! v9 BIt is also used to crash SoftICE and to force it to execute any commands9 {" d( N& U$ l8 |( \2 ?1 v
(HBOOT...) :-((
- w% s0 _) Y6 O1 x2 x+ W$ [: p7 P3 X( J, d- v$ X& g9 Y
Here is a quick description:
, t' k7 \3 B8 F7 e7 f: |-AX = 0910h (Display string in SIce windows)
: U+ X; F) S9 `' ` N3 F; s. M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 |6 E+ |& Y; }( v# K: _
-AX = 0912h (Get breakpoint infos)
) h, r% T0 W' y, V0 y1 o. F-AX = 0913h (Set Sice breakpoints)
4 x8 N4 r" ~8 l' @0 v3 N$ R-AX = 0914h (Remove SIce breakoints)% V- N4 K7 ~9 M, `; ~7 _$ [
1 I' p+ l3 l, i+ m
Each time you'll meet this trick, you'll see:, S6 P& G; ? X$ V% c/ y
-SI = 4647h
4 w, k7 D, \" h8 C7 m; K-DI = 4A4Dh V+ X s# ?# ], l
Which are the 'magic values' used by SoftIce.% t; ], `* A4 H0 @0 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# s# Z6 Q9 ]- d6 h: X
8 u4 \: s" p+ `8 X
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( @1 D6 {; @, x& O* E, IEnvelope utility use to protect DOS applications:0 H/ w U+ o! {" `; m: E
: L6 ^' @1 ?% h9 Z& @3 e+ I5 {; u6 C5 _+ |9 _% V5 G
4C19:0095 MOV AX,0911 ; execute command.
+ B: v' J9 Z0 l; K( ?: C( Y1 q0 M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 L) U9 ?) m* ?& w* R- u; }; B4 [
4C19:009A MOV SI,4647 ; 1st magic value.6 R3 c8 T9 z4 m0 K: U
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 q1 i1 F7 j7 q& w/ q+ _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 y2 o, U7 K( ~: |1 I5 l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) b" p' q3 V5 M2 L6 d' m4C19:00A4 INC CX& p0 c4 T- v/ l0 R5 Y3 K" @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( F+ n% L. f w3 ~" @
4C19:00A8 JB 0095 ; 6 different commands.; C! S4 W x' r+ z$ A
4C19:00AA JMP 0002 ; Bad_Guy jmp back." Z6 }3 G0 I4 o- F- j$ l1 |0 P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ i( X% G# Y1 W
B) ~% N% {& q D7 L
The program will execute 6 different SIce commands located at ds:dx, which+ Q: ]* p5 h: H. Q, x& W( q9 E$ }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., I A+ N; O- f- w. a& i' r
( L9 ~9 [# ] e$ a& }7 [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; M! I1 s& k: ~. r' [0 D* _
___________________________________________________________________________! n. d; C3 s/ R$ G6 L! i
7 Q" c/ T; k/ B1 L
. X$ x' ~$ {1 N) F
Method 03
& e! [& f1 }/ V' d& D, }/ e0 m3 G: E=========
0 i/ m/ s) f8 p0 ]- _5 u$ H" C' y6 {5 z) B# B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( e1 |+ j* P2 c2 ]+ T) u& F
(API Get entry point)9 u% v( t- @' {6 e. x
5 u5 \- w' `# T
7 H$ y3 {. }( S0 h
xor di,di$ [ {2 i! v9 W/ j
mov es,di
8 w- Q& Z0 k( n1 B mov ax, 1684h
. b2 Z. ^+ N6 i- ~ mov bx, 0202h ; VxD ID of winice2 Q! F6 a( y) r+ _$ `, L
int 2Fh$ Z; P( C' i/ ~% h6 f
mov ax, es ; ES:DI -> VxD API entry point
" r1 Z9 g# I& J) L add ax, di
: T+ d+ R6 J- \. A7 p% V test ax,ax( f. J4 ]: v: O, I/ w, Y
jnz SoftICE_Detected& L. R! ?! O* i( Y1 g% K }
2 G8 g7 j$ P) E) q- q5 M___________________________________________________________________________
6 D: I9 c) Q6 {( r- y" c5 D1 v# d& f8 |+ [5 s2 I' ~7 V
Method 04) J% g5 q, k* o& l* Y
=========
6 Z- K2 s+ J9 J3 G& \$ K6 C1 J
/ k$ j# `4 S- O$ |Method identical to the preceding one except that it seeks the ID of SoftICE
; ^; o2 \' v' L3 A) e$ e$ GGFX VxD.; r4 f) U2 q( J# c; Y2 }
) c ?: ]; {9 U, b- @# W p xor di,di
1 h9 c7 Z5 i4 S V# F9 X9 D% G/ ? mov es,di a$ i; Q1 j' S# c; Q0 x, N5 B
mov ax, 1684h 7 D" P8 {+ j; W R! [5 E, e
mov bx, 7a5Fh ; VxD ID of SIWVID$ R, T# B! \0 x! l
int 2fh
; e. N; s1 Q D; \# M. D mov ax, es ; ES:DI -> VxD API entry point; g9 _$ r4 \1 B; M/ j& H% _
add ax, di. j1 f+ s7 f { {
test ax,ax* L& r' n/ t* w' F4 y: R2 {; ~
jnz SoftICE_Detected
" E/ \" s0 c4 B$ ~1 M) V! z, u) m5 O8 x5 e. `
__________________________________________________________________________( R; k k( t9 `4 M
8 D$ d1 T6 j2 `, @- X
; L/ j( e& k& w& y: hMethod 05. c5 P0 E1 F5 t, V
=========
5 \& \& e3 a0 W. `/ h I
- Q9 z3 \9 B6 b. U( {$ ~* aMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 e, L" @+ \" H7 Adebugger. It calls the int 41h, function 4Fh.
. }" N# t8 C2 m C7 X2 |There are several alternatives. ' U" b9 @; F4 e: g! Y4 `
5 B& ?2 Y( U0 l) x7 L, VThe following one is the simplest:
% a3 |/ c' x. I5 H; o% \! P' L% N! A8 b$ l8 T2 K% P3 o: A
mov ax,4fh
7 v* P) V+ j2 @, X int 41h
+ ^; ?$ G0 h. E' u/ e& {5 Y cmp ax, 0F386" P- ]: p4 n# z
jz SoftICE_detected
% m8 Q5 e5 C- J
! O8 q1 @% W5 Y' l, s& j4 e3 m% |! C" V
Next method as well as the following one are 2 examples from Stone's
6 L- D- ?: D& M% `, ?"stn-wid.zip" (www.cracking.net):
; ^/ `. B, m) s0 D3 k1 H ~
/ F Y1 }% B- F0 A5 H mov bx, cs# `+ n" ~' l# M( v' D
lea dx, int41handler2+ P5 b1 V0 r0 @
xchg dx, es:[41h*4]0 k2 b7 M0 q' g$ G' B
xchg bx, es:[41h*4+2]
, s6 ^* [% g1 V& {/ u mov ax,4fh
) M" a# q' `5 l9 f. Y int 41h% O4 ?. r4 G/ s' y, r& e
xchg dx, es:[41h*4]9 l$ m% \, S3 s. S6 R4 u
xchg bx, es:[41h*4+2]+ O+ r4 z) x0 e- D8 I
cmp ax, 0f386h
* B. z. J" f/ R) P8 A jz SoftICE_detected
, ?' g- @8 N' f
( J X. p4 \7 `0 O" S. Eint41handler2 PROC! i' X6 ~- ]& D0 ]" R, C
iret
+ W; N5 ]8 z0 ?4 D9 h: `) w6 I/ lint41handler2 ENDP! m, M( r+ I& e. |; P% i* B
. y: n- A" e! ^4 H9 }
2 l+ Z. P5 d i8 S: @
_________________________________________________________________________
$ {7 \9 g2 p4 S: _4 N1 ^" _% I( y/ Y9 q# ]' l
+ n5 v6 R/ I; q! _/ j" E1 Z$ t9 sMethod 06- r/ a \" i( j* Y' u
=========
6 r. `# n/ @3 E) M
' {! K' M% G+ r
6 D, [7 B- k' n1 V% l2nd method similar to the preceding one but more difficult to detect:
; u: l& o$ G' T: g! y, D( M- t( a8 S0 R7 @( [
2 o I. p$ X; M8 U3 J) f6 @6 Nint41handler PROC
( k+ c& f7 T# t) F9 m mov cl,al/ R9 I7 Y' @3 T1 Z* w4 M
iret9 f* [! _, Z; i/ K& n5 c: n
int41handler ENDP
+ j: ?( c& k2 D* |/ ^9 x
( M+ L4 I9 i6 k
- g$ {; \8 V$ r xor ax,ax
6 A$ |4 K5 s3 B+ x& I: T mov es,ax
# w1 j$ q, q2 o5 G: b# } mov bx, cs
8 [0 y! }* f" H" H3 E, ]( m2 [6 Y lea dx, int41handler
; ~+ z1 c0 s) z xchg dx, es:[41h*4]
" W& i- d# S& ^" H' b xchg bx, es:[41h*4+2]
( U; @& T/ k' U+ b in al, 40h
0 L7 N7 m0 e9 J; T$ H" O- M xor cx,cx
/ ^! p ^: ]9 b int 41h$ o% h( f& ]7 l- v% ]( j" M; r, W
xchg dx, es:[41h*4]' g5 V' i' [ J; d! B/ C1 f
xchg bx, es:[41h*4+2]
( p f# M* \ Y3 r cmp cl,al
8 k7 _9 E# r8 s" Z& M& b jnz SoftICE_detected
3 D, B2 c) [9 r- E9 |' s1 ~( P* Z
_________________________________________________________________________
2 M% G, Z8 v% n8 U
, y: _ v: b9 N: s# u/ K* R' mMethod 07
3 ?. D7 ?2 M8 l- H, b=========
4 E. ?9 t+ F! u% ~* ^" s; P( a, o8 F4 A3 A. T
Method of detection of the WinICE handler in the int68h (V86)' \6 l, N5 C- D: r; H7 `7 \1 F
$ Q$ R, n0 t: T mov ah,43h
% K% {* s: [. v9 d; s- g. @% a int 68h; Z9 h' J/ D$ n L# a) D' q3 J8 s, o
cmp ax,0F386h
9 R/ D5 s) J$ ?# o, L jz SoftICE_Detected
3 l P5 F# n. ^- T1 j6 f
0 j7 N, t' U" q5 I' Q
' H, H. g0 V! Z3 `( F! G=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ p& K ?- o! \) W: o6 [' w& |
app like this:
- @) b1 Q' U9 K8 z% m2 }: P; A) l$ @6 }0 h7 ]% H
BPX exec_int if ax==68
; z! @" t; c1 P (function called is located at byte ptr [ebp+1Dh] and client eip is+ I, j" D9 l! Z8 ~& h! R. h
located at [ebp+48h] for 32Bit apps)
. z o5 h( I) v+ o& s__________________________________________________________________________- O. r& _2 C/ f& e" [) K* J+ N! `0 P( n
& f" y5 h/ O# b, b
) b; \4 U. a0 H+ E$ {8 HMethod 08
: [1 y0 G6 q9 H( M0 o3 P=========
$ P+ `, L6 c+ E
" n" z- {: }% H7 b( ?It is not a method of detection of SoftICE but a possibility to crash the: b1 Q" j2 k# q
system by intercepting int 01h and int 03h and redirecting them to another$ U) Z0 p2 d3 S
routine.
: K# n3 i, K! U: {( r( XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" c, J" q) ^2 A9 ]to the new routine to execute (hangs computer...)0 q$ o. O2 m+ D; k: U
: h @+ G W* ^7 V+ y2 l8 ~! Q mov ah, 25h
; y. p$ o! Q+ n4 h% m. |+ w+ B mov al, Int_Number (01h or 03h)
4 e' v+ u4 b( g+ `& G; a mov dx, offset New_Int_Routine% @8 b4 V9 ?& E$ j4 z/ q
int 21h, `& O1 B! i7 b/ a3 j$ T$ [1 K
! N. t/ Z- o! X0 ]* {3 n__________________________________________________________________________
7 ~3 } u9 M/ g
3 K0 Y6 C$ @) T6 g- O% V. A9 ~Method 09
/ T6 C" h. {$ B* L+ I$ v=========6 s+ u# T: X! b, f" j. O
: \* D) C2 q4 C6 C% G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! N$ N3 q* P$ j$ R) Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
. K2 `9 E% N! {' `& R; i% v. ZThe Get_DDB service is used to determine whether or not a VxD is installed* G/ `* x, a4 _6 E) i% J; c& R5 A& ^& I
for the specified device and returns a Device Description Block (in ecx) for
5 e4 J7 v( W, B5 @% Pthat device if it is installed.
9 U# ]) n, d" r* ]& X3 h* t1 w
6 \7 u$ [4 U' X+ k: k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 |2 f/ X- w# o" k: b' n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% h6 I* w7 s' y9 w) f/ i VMMCall Get_DDB
% L6 F2 J6 _$ ^' ^& [9 G/ `5 | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: f) K2 m8 p& R% R/ E1 h
1 n0 D/ u: n7 {; O2 x6 c$ \* a. e- I
Note as well that you can easily detect this method with SoftICE:
; l% B* z( S5 C4 c bpx Get_DDB if ax==0202 || ax==7a5fh
) F' ~8 [: X; g$ f3 M# c3 |6 r& O8 z
__________________________________________________________________________
0 Z, @/ @5 N- ]2 O& G
7 m( U, U" Q4 R5 C. s" H: G: wMethod 103 U7 s4 @! v1 _6 L. r
=========
% S& G, x k' B4 q
1 M. |, h. y' d" z/ }=>Disable or clear breakpoints before using this feature. DO NOT trace with
" ?$ z- T/ D) U1 W& o SoftICE while the option is enable!!" o' \) r- b* w7 |7 S5 }; }
+ h& r6 b- v. d+ KThis trick is very efficient:& `3 d2 D) z* r1 V# y
by checking the Debug Registers, you can detect if SoftICE is loaded
$ P1 ~! j8 f! ^8 Y0 h) R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ d8 ?) ]1 V) X- I$ }( F& nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 r9 y/ Y4 h: o7 S2 L1 j0 h" ]value (in ring0 only). Values can be manipulated and or changed as well5 [* S% s" J4 o I# x% w2 p
(clearing BPMs for instance)2 E& }8 H5 Z/ }6 w8 }7 @
8 z |5 D1 p/ A! |7 C# O @
__________________________________________________________________________
4 X. |% h/ Y) j. _
7 R& r. @" L5 n, H5 B, S9 kMethod 11
4 s0 Q8 S/ e& Z1 \=========
5 [/ p7 F/ E6 L) h1 j! g
; z( r5 g) J$ l/ P$ Q" xThis method is most known as 'MeltICE' because it has been freely distributed: x: r9 r0 ~8 u @3 T2 r
via www.winfiles.com. However it was first used by NuMega people to allow, W5 z% c @' b7 t. u6 D5 T g
Symbol Loader to check if SoftICE was active or not (the code is located" d1 e2 _6 R* b3 y
inside nmtrans.dll).
8 A! y' u$ f: m L' p( M# r# B0 j \& x" ~4 u$ a
The way it works is very simple:
0 f1 ^+ G7 R8 o JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! e/ T7 V0 }3 g4 w9 x. K( h# k
WinNT) with the CreateFileA API.6 b- Y9 l/ {: F& t3 o6 d! e
5 t8 J* B- z2 K
Here is a sample (checking for 'SICE'):
. o5 ^) ]& i1 s, o$ |# L- ~5 N+ Z5 R& i0 e% y
BOOL IsSoftIce95Loaded()
+ |0 k0 _7 L- M0 f{; C6 p( L& a/ |2 l, M" }
HANDLE hFile;
( D7 O; T7 ?' @ m# D6 v( M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 I" |+ _6 v( D; \! A/ O- g. f
FILE_SHARE_READ | FILE_SHARE_WRITE,/ I% a0 e5 K& T3 a9 L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. j6 b" F3 p( v$ x$ J- k: M
if( hFile != INVALID_HANDLE_VALUE )" M0 c: f' e% U5 R% z" g
{' n A. N& z4 ?9 j C
CloseHandle(hFile);
+ l* v' ]5 \ j return TRUE;( o) g2 P5 _! L. E& l; L, u
}
. N8 K9 }4 D$ p, ]8 g return FALSE;
, m" o. M |- B6 `+ d( n}
* L0 I/ q, z7 [9 W( v$ Y6 b% @3 y. U+ K
Although this trick calls the CreateFileA function, don't even expect to be7 u. h, a/ c# x; y9 H
able to intercept it by installing a IFS hook: it will not work, no way!( f5 g. y& q' t. p/ ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* L. ~: [' T j/ y; d" y8 E7 fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ J' K' i# R9 w5 P) Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- m- b5 e! h. g9 X! R- ]field.& V1 C( Z3 D. Z9 x. Q8 X: ?3 W) S8 v
In fact, its purpose is not to load/unload VxDs but only to send a
' J& l9 R) V6 K% k: s1 PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 x+ D. B# }! w% e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 o1 P3 \6 ~, O; M) oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 y1 L6 y, t; A0 b4 V/ v9 Z% }: \If the VxD is loaded, it will always clear eax and the Carry flag to allow
* |$ T Q1 l4 X& Z: e( N5 }* y6 }its handle to be opened and then, will be detected.
' K; |; Y2 \1 Z* e+ NYou can check that simply by hooking Winice.exe control proc entry point! ~6 ~. ^8 ?5 n9 }2 B* @* t( T6 d `
while running MeltICE.
$ L) S/ }- h$ ^9 H- H# k0 F8 S% l4 C. v a" f% |( Y( ]! ?
) w2 q" N+ r, h; H
00401067: push 00402025 ; \\.\SICE
+ j. X7 y; b- z 0040106C: call CreateFileA
$ q0 ~& }5 \" R0 d V1 n 00401071: cmp eax,-001. k9 J% `% @- m- y
00401074: je 00401091
# ~9 A& t4 z$ Z3 q4 y0 q
! Y+ R) _% ~, l4 Q/ i$ f, D2 m S
There could be hundreds of BPX you could use to detect this trick.
1 p3 y0 g! |; S-The most classical one is:* S& x. q5 m$ G- P& d; g y8 ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& ^3 Y& Y1 w0 l6 E: ^* {/ \ *(esp->4+4)=='NTIC'
; g) ^! H; V4 N2 Z) {* g! S2 d: N8 f8 N" ^! x' y; b' a
-The most exotic ones (could be very slooooow :-(! L* Y) B" T- \( N6 E
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % C$ N' r' a: e. Z+ }8 ]: ]
;will break 3 times :-(
/ w' ?( i( S, {1 b
$ e- M, a: ~8 K% O, n9 O% D-or (a bit) faster: # ^% m: X3 \) c! V! J2 h, ~0 j! f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* K4 ]6 ^1 f* D# a+ Q e3 n U; a2 v9 z, N5 j( R+ X6 x5 [) V% S: T
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ N( a( E, r9 Q) v. s3 u; ?) n% A4 V
;will break 3 times :-(; d8 s& u: h4 b+ j+ O% W, F
* _$ d+ |( u6 N+ ~2 d. h4 E-Much faster:
0 ?8 b- ~) ^8 S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ @$ d+ J9 L! x) c1 l( i1 I) u6 x( p6 I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' i) U j0 g0 Y$ |" u
function to do the same job:
! O% h1 x1 M2 S+ V8 c+ w9 b/ Y) V! W4 I7 l# f/ T6 l
push 00 ; OF_READ9 d( B1 K/ {, c; T8 F
mov eax,[00656634] ; '\\.\SICE',0
: o8 W6 W. q# a1 f/ V' @4 ~ push eax/ y0 k; [5 O4 h8 @4 f/ D% C
call KERNEL32!_lopen
/ O1 z" {) W- r w9 _2 q inc eax0 q# W2 S- r' s4 F3 r1 X k
jnz 00650589 ; detected
; x) _; \- u, f' s) ?- Z4 [ push 00 ; OF_READ
6 Y; X( `6 {2 f" f- _/ D mov eax,[00656638] ; '\\.\SICE'
3 c- ], S/ m( _5 z6 p9 ? push eax
% ~2 R: ^, Z" M7 _. J$ ~4 u call KERNEL32!_lopen$ z2 O' g) K+ L9 w/ u
inc eax
3 |8 S' x, [- u/ A1 r jz 006505ae ; not detected
7 X( u& S5 A; i* y; h5 \3 m7 O# k' I- Q/ v5 Y7 C$ N) B2 `
8 \6 `. g! g$ C5 ]1 u# {7 a! J6 O. z
__________________________________________________________________________3 f( q0 J3 R$ y L* | u: L1 f
/ b8 x/ h5 ]1 KMethod 12
( o" h3 t, l: Y* |=========
$ f* n* ?0 s, H
- ^) A: ~ I" A; bThis trick is similar to int41h/4fh Debugger installation check (code 05% t, B! _; }2 Y/ q9 t0 k
& 06) but very limited because it's only available for Win95/98 (not NT)6 f; P8 ]) F( \- w3 h0 z7 T- ~: Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 P5 y0 ~/ y) R9 s/ i, u5 f
' z: `- E+ Z1 O push 0000004fh ; function 4fh
4 F# C! g' y; e% j2 P push 002a002ah ; high word specifies which VxD (VWIN32) X) L, u, q7 s' J, R( [6 U" b
; low word specifies which service; ~/ }! G& r% a! K! U5 \
(VWIN32_Int41Dispatch)2 P! g6 S* {1 m+ w$ M8 n U
call Kernel32!ORD_001 ; VxdCall
5 \7 Q( x8 Z* [/ P cmp ax, 0f386h ; magic number returned by system debuggers. v# M' `5 y' G
jz SoftICE_detected( z+ }/ Y; z; X9 X X8 H' u
+ h' E5 U t, g5 i+ }9 N7 v3 V
Here again, several ways to detect it:: R6 ]! S% P- l# E7 B" b; J: E
5 e0 e9 H }+ O0 F2 T: \' D BPINT 41 if ax==4f% g+ j$ m; B3 n: x$ d0 I1 N
) c& Q, _1 {- h$ B- m3 Y' }
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 A W/ a* I/ C$ O* _# B0 S
' L& [. {& q/ N! i, r7 s6 @7 G1 B BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 H8 e! n( s5 h5 C: o" J7 z
5 E6 W. Y. V4 i3 ]) q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# P, x0 T6 `0 Q' T: z
& y- s J d& m8 s+ q5 D; g7 T d__________________________________________________________________________
8 J+ [% J" N% c7 P! h0 F, ^: v0 a E0 R" c _! h r4 e
Method 13
& P7 _6 w b' C# H; b=========2 B+ E9 k Z" z7 Z0 g$ T D
, I) H. k+ z1 J, dNot a real method of detection, but a good way to know if SoftICE is: E1 U) ~! l* J: T# E
installed on a computer and to locate its installation directory.
5 O) d2 P1 W; d) A1 p" }( P; _$ z! lIt is used by few softs which access the following registry keys (usually #2) :
6 X1 {6 y. T$ O: R& K0 F: c8 W
: t3 V/ q- o3 e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 s. p- F% l* z. l# T8 M\Uninstall\SoftICE
0 i" c# F- t* i( h; b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ f6 X. p C+ i1 i8 Y5 ], T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 x5 j ] y8 B' @) d
\App Paths\Loader32.Exe2 e ]; Y/ ?% h
1 |; g' w) w1 y/ a# W! w
- N+ j; k" H [5 Y7 M# c9 W3 C1 o( t
Note that some nasty apps could then erase all files from SoftICE directory
" V' }6 z0 y, R4 x2 U5 _(I faced that once :-(
( C3 Y( c2 a7 R; ]& D4 n. \- A% p7 O+ t1 [/ h, n
Useful breakpoint to detect it:' R" h) n* X& t6 V! P4 n' X% g4 p4 A
' v1 M+ C2 k0 W! G! S* U9 h* a1 b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 N5 o; Q" l# b7 S. S& ?0 } I$ d+ y" p7 W8 N7 K# Y w
__________________________________________________________________________. \( d, J$ \3 K
2 P1 f) ~' C+ D+ g$ a% U9 O, ~
- P6 m8 n I- l9 d- P5 xMethod 14 7 Q6 w1 k( I" U
=========5 C* D( q: e( ^
# `' U# X2 X6 N, n( O0 [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 _/ W5 p; v$ {* h7 ~) _+ {4 J
is to determines whether a debugger is running on your system (ring0 only).
4 _$ z4 U E7 y) O% H& A! [) O
- L b; z: E# |% A( T& z5 K9 y VMMCall Test_Debug_Installed7 L, n, r h5 B, k& ]
je not_installed- b5 S0 o" n/ [; ?' C2 q/ b
( W% V3 n( L: N% z' ^. W8 C& Q* ~This service just checks a flag.0 r; a+ \9 n- w# ?7 ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡