<TABLE width=500>
+ d) z* Q I! k: _<TBODY>! w4 D% r- \8 i, B3 J3 B
<TR>
0 X# z5 @& c' a. k<TD><PRE>Method 01
9 Q) t/ W6 C' R1 V=========
, c. c2 j/ Q, D b5 H# P/ ?8 o* h; d0 g
This method of detection of SoftICE (as well as the following one) is
4 f+ ^7 j7 q! U8 u9 r0 a0 P, ^used by the majority of packers/encryptors found on Internet.
" E' G3 c$ I) Z- @6 c% GIt seeks the signature of BoundsChecker in SoftICE% Z' S; S" B \- \
$ \8 O2 L6 d, a
mov ebp, 04243484Bh ; 'BCHK'! C* E F3 ^! G( j
mov ax, 04h8 m. F" D) s( q4 I
int 3
. q2 r" {* E6 _4 p cmp al,4
4 U( a1 u( K3 M, \3 r" @ jnz SoftICE_Detected
B7 N g7 ^5 b* N
0 Q# F( O H6 m; M! Z6 w6 }___________________________________________________________________________' ^$ d+ O* j! T9 d% V1 R. F# H
0 f) \. F# `4 V! _- ]
Method 02
' s) Q5 r- \, A9 L=========" J! w% \ ?7 b) U$ F+ `3 v) H3 m6 o
8 d! w2 \5 ]. J& J6 X+ a A
Still a method very much used (perhaps the most frequent one). It is used: W& l5 u- `1 ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 U" m9 ?: J3 c2 _8 ior execute SoftICE commands...
: g8 L/ I( Y/ @, _/ gIt is also used to crash SoftICE and to force it to execute any commands
$ {$ R: [+ v A! Q& b2 ?(HBOOT...) :-(( # c/ \# i, |' t
$ N" J) R( k' [7 N6 {# i# y
Here is a quick description:2 y' H; u3 g+ L# j5 Y' j
-AX = 0910h (Display string in SIce windows)- | B& t# \6 v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# @) n, f6 c4 N- Q) a1 `-AX = 0912h (Get breakpoint infos)' X- q% s6 G% I; |3 `! Q% P; B. C
-AX = 0913h (Set Sice breakpoints)
! O" b+ N! V5 N' S-AX = 0914h (Remove SIce breakoints)* o! P* G' T7 x" t6 h3 q( Y
7 }( ?: u% U" Q' U8 SEach time you'll meet this trick, you'll see:7 O1 e/ D- ?7 Z& B+ F3 B) n/ }" x; O' t4 I
-SI = 4647h
# u9 ^5 N8 }7 @1 H1 e-DI = 4A4Dh
5 F R; |: k0 X( @. XWhich are the 'magic values' used by SoftIce.& {& t' `% s: A8 `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& O, e! l0 f/ X8 p0 A# R7 S+ p7 X( b! E) J1 u9 }6 t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! W Z; A, p! D& S1 \' cEnvelope utility use to protect DOS applications:
+ V7 j9 ?, V q8 f
' [: o; u1 _$ w9 I; L* w3 j6 `5 ]4 V1 G" r5 w" S% T! c
4C19:0095 MOV AX,0911 ; execute command.
9 {: z d/ O* V- K5 ]6 R2 B" U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ ~, V( t3 k7 V+ ^
4C19:009A MOV SI,4647 ; 1st magic value.4 _7 u2 T" F' c# }. z8 i
4C19:009D MOV DI,4A4D ; 2nd magic value.6 B' i: D' P: R+ j0 T. y1 `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 n6 X$ w" _. N8 w0 F# C4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' }, ^, C" n+ n R1 m" D2 I, Q
4C19:00A4 INC CX
A! A! {( i- h, R" }; G: B5 P. Q" n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 l2 M v/ W4 x( K @% q7 @5 ^" W4C19:00A8 JB 0095 ; 6 different commands.
5 `0 _& J$ g5 U2 w; U+ v4C19:00AA JMP 0002 ; Bad_Guy jmp back.& G& | S0 w+ Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 a+ W& {: Q: T
" \$ B- Q K8 bThe program will execute 6 different SIce commands located at ds:dx, which4 a& U$ Q' c2 g" b' l: D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: l: R. J/ X$ N& P
4 \1 x# A2 N! u9 @$ j' e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ T- L4 {! x+ q) t* p$ T
___________________________________________________________________________: G; z( P, N( T3 L- n
1 D5 d, Y8 F2 g# l
0 Y% [2 ?% d9 a! J O( z9 {9 Z
Method 03( C/ A u- P- ^
=========
, d, j6 C7 Y7 `4 k6 v4 f( |, J' r, F$ w P3 D5 ~; {0 y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ o& J+ K' x( V% M/ u(API Get entry point), d& ~9 j3 D" j# ]$ S
1 S+ J+ F, e2 Y
* B z. @; Q- x- E) {- w/ b* X1 L xor di,di
h5 w, i7 v$ D I9 [ mov es,di+ C5 o- l" k7 y( }& w
mov ax, 1684h
7 T- R* f% _) s; p$ U* V8 D mov bx, 0202h ; VxD ID of winice
: M8 @9 P1 R, e' Q5 L int 2Fh
( t& y0 a% S3 L, T/ i mov ax, es ; ES:DI -> VxD API entry point/ U* {0 r2 C0 S" j. G9 X1 g. w
add ax, di
6 O2 M+ y( I7 }6 R test ax,ax' C, `5 H1 O8 |& m7 A
jnz SoftICE_Detected- }4 B' s# {2 g! j4 @& E
$ f) z. W' B2 m
___________________________________________________________________________
% l( u' E8 }% ^7 v8 H, |$ i Y; X: f& o6 w7 a- ?4 g- a, T3 B4 ~: |# h
Method 04
1 I' N" Q3 {9 H& \" x$ P \=========* G8 J; z8 S& c/ e
) T& |+ c- A% t# U8 g# HMethod identical to the preceding one except that it seeks the ID of SoftICE
$ U( ]! N/ O6 u, F! [1 j* {GFX VxD.( `3 [" |# d2 b8 T3 V
7 h! F: a6 H) r$ ]( t
xor di,di
% \ W* h2 S) [$ ^! n Q# G+ Y; Z1 ] mov es,di- x: g+ U' u- S
mov ax, 1684h
: J7 [( c7 D! i mov bx, 7a5Fh ; VxD ID of SIWVID7 G9 f7 f' z. N J: Z4 ^ l2 y
int 2fh
2 z+ c) X4 g: o mov ax, es ; ES:DI -> VxD API entry point6 F+ o" l" L/ F+ f
add ax, di, M$ f6 e# v' C. T
test ax,ax7 N0 y- l0 C" F& X* s
jnz SoftICE_Detected
. B$ N+ O4 B/ M( l: o, Z1 \2 [% `
# N7 e% f# b) W3 z+ o__________________________________________________________________________' y1 _ Z4 H' A* @8 c& M
. X3 k0 Q2 q+ h: c% o
/ S; y7 O" Z/ YMethod 058 c1 U+ X8 O- C! @8 o5 r
=========
9 o' [& S: L6 R C* G2 Z7 b& m: ]/ G% e4 s6 B" {" K5 u! R+ w3 l
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ P& g# I! ]" X# n
debugger. It calls the int 41h, function 4Fh.# y0 E% `* l! U9 {2 b# |* A
There are several alternatives. : G9 j7 e/ w# U; U5 I$ L" ? M
- p$ M6 n A" Z$ d; F! g K: _5 BThe following one is the simplest:3 m, {3 _, c! ~& @- o5 Y4 b7 |
p7 I0 h- T W1 G9 b7 R5 I
mov ax,4fh" C: z( V! F" k0 K: I, l4 c
int 41h/ r4 {# E( O! B
cmp ax, 0F386
: {: t/ K2 U0 V6 H. X) g/ y jz SoftICE_detected* Q- U/ M+ m. A2 R/ f
/ L* z$ w" H5 E- Q( S( `7 f4 R, n1 e. |- v i6 B: r
Next method as well as the following one are 2 examples from Stone's
6 X/ @1 N2 x4 E"stn-wid.zip" (www.cracking.net):6 y" W* N* Z( z* `+ {) ?& j% Y& d
/ C! U, h2 t" e: {( S
mov bx, cs
3 i1 g& I% V! L6 _% p lea dx, int41handler20 n4 `3 q5 K' E( K0 M. }4 r6 {
xchg dx, es:[41h*4]6 O! I [1 g7 W1 ?
xchg bx, es:[41h*4+2]
+ Y& k9 j% N" d! ~+ Y8 D* G2 s mov ax,4fh
) e: G8 I. n, { int 41h$ R6 _& ]1 \! x8 q
xchg dx, es:[41h*4]
2 ~: @3 s. y( t8 @! i xchg bx, es:[41h*4+2]
1 x T' {0 e0 [8 i( L+ E cmp ax, 0f386h
/ ^# Z3 \% _* e. K. y [/ w$ X jz SoftICE_detected
4 W5 t/ H) N5 {2 O$ p# w
: O# c; z9 L3 c+ M+ N. oint41handler2 PROC6 y' B: M% Y8 J! o) `
iret2 b6 n K, a2 j; ~0 N! k
int41handler2 ENDP
3 K, d+ p% L8 M3 s0 l, k3 b, D5 u! Y* q" L; C$ G' j
# z: _# U4 j2 J# H5 ~$ z9 e0 K
_________________________________________________________________________5 V4 E5 L5 L3 X
; a; u, W2 {2 w( k* [" P T S% u- a
7 [8 `2 |) J' ^4 ~' T1 T
Method 061 C s% t0 ]& G& \0 i/ F" O
=========( I6 X% V5 g9 q
3 ^5 l' V3 y$ E# L' b7 V* _
5 u% K( M0 Z/ f. W6 A2nd method similar to the preceding one but more difficult to detect:
. X0 y. a: P( c" q5 o
$ ]/ @& m# }* t# `3 P4 X7 {4 M
" o5 }( j! b' J* F# [4 |2 Y1 ^int41handler PROC
" c# j0 X% Y$ T- F; }, ]8 ?/ A mov cl,al( u1 B4 `/ G8 e: d& j
iret. }8 i) a' X! n# ?4 K
int41handler ENDP' f# w0 L7 a/ j: h, @3 a' R% v
/ u* i) a+ d, V, |1 x; S' h5 k/ n7 |1 I6 I/ b( {9 g: h" t3 Q/ F
xor ax,ax* @1 g" u1 ?' F) w! \/ k9 M
mov es,ax# N/ ?; h2 b y+ k$ A+ j. c
mov bx, cs
; y+ B, K8 |# X( p" S3 r6 I( Z" _ lea dx, int41handler
; k* L% S; k6 q: O$ u xchg dx, es:[41h*4]
" j2 m2 v p5 t9 N) z1 f xchg bx, es:[41h*4+2]' `6 }3 Q/ q! k9 u) T! l
in al, 40h9 b, S3 L5 M; D
xor cx,cx5 x+ t4 f% Q1 U7 `% M8 `; a, `! x
int 41h" s& b5 Z K: v7 a, D2 g
xchg dx, es:[41h*4]
' x6 V, W8 t9 }( a% w4 r/ R xchg bx, es:[41h*4+2]
0 A2 V1 L; B1 s" E, V cmp cl,al4 v9 m* J) `9 L3 u; ]
jnz SoftICE_detected1 _9 L3 V4 `! F6 V X5 F7 e
8 g0 L7 B; k, ~+ X1 y2 p_________________________________________________________________________' b8 B8 H- R" l w, H) y$ Z7 T3 e
; G+ S: U# r$ E6 S5 L1 C8 @* iMethod 07$ b. J% x+ B6 u [" _2 E
=========
0 n% F' q$ ~4 [8 Q! i; D$ f
7 Q% U1 v7 z p$ X5 s. zMethod of detection of the WinICE handler in the int68h (V86)
6 O/ o+ G9 C+ u; y' s, J! V
2 {/ R- z# j: y- }* R1 l mov ah,43h
* x2 W+ p0 B- ?9 U- |- _- ~- S3 l int 68h
4 s4 ^, ^) { h& f$ V" t' G cmp ax,0F386h( A9 q' d) m7 |9 l
jz SoftICE_Detected
9 M8 E! m3 F$ T6 T u! u& c& X9 U' F" P& L
, V) q" X8 e5 e% e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- {4 p% S$ y! L" [
app like this: S2 y4 T3 M! M( \, O
9 k. ]8 V; q/ Y1 A/ w+ D5 N5 b
BPX exec_int if ax==68
0 |( k- ?: y: C (function called is located at byte ptr [ebp+1Dh] and client eip is4 C o8 A+ ?+ }3 f% a+ |
located at [ebp+48h] for 32Bit apps)
$ G! ?. J* h& V6 w+ \1 X__________________________________________________________________________
) I" _+ h+ W/ m. l1 M6 i) B. U; K" A' S* w& r3 x
/ b; [: X& X& u) L% |. H/ q
Method 08( g% W6 A+ a2 G' w
=========# Z' i9 @! w# u# R- G
2 a+ r) [& L% E7 v& M& k' ^It is not a method of detection of SoftICE but a possibility to crash the% h' u- I3 v7 G0 Q
system by intercepting int 01h and int 03h and redirecting them to another
z% L9 |% W7 d' L6 R m+ jroutine.
) E5 A7 q# f/ b7 DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
E2 ?8 w, e$ u0 gto the new routine to execute (hangs computer...)! i; `4 {6 w0 O! \% \& W
+ I( c" H; [3 }) d5 D& P2 Z2 s- U
mov ah, 25h' U# w9 j/ j- q9 u& v2 {8 n' n# a
mov al, Int_Number (01h or 03h)
3 u3 P t5 H: U, G# U a& K( u mov dx, offset New_Int_Routine
W' }' L6 f: J3 E- m7 O2 o int 21h
2 P- e; f6 j2 m0 X l8 M! {) ^- ]! r9 {# h4 d4 `; c( j+ l
__________________________________________________________________________0 a4 i- N" J. t8 A) c# h' V0 F+ u- |2 d
" G- d( b# U% S& t: O1 |
Method 09) o- C+ u$ R7 I9 C
=========
9 |) Q! g" d0 o" x7 S# o: A
7 i, `) F P+ m) u: C! S( yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 b1 _: u8 s% L0 K) A* p2 nperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 {# ?8 H* T3 HThe Get_DDB service is used to determine whether or not a VxD is installed
+ o$ ]) i) W/ O3 i2 ~* q, lfor the specified device and returns a Device Description Block (in ecx) for
5 E' o' v+ K9 k( F7 r! z1 x2 jthat device if it is installed.
' k! O2 d+ c Y/ F! P, m) F6 k+ p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 L7 p: M( @8 i2 V; Z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 o* c/ ]& }1 c
VMMCall Get_DDB( I2 O" B* A/ Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, P, x: x% Y' t# C4 O: V
( C9 `* k+ t1 `7 q- p: x0 dNote as well that you can easily detect this method with SoftICE:; ], h$ }/ T# O5 g* E
bpx Get_DDB if ax==0202 || ax==7a5fh" Y! |5 n5 k/ H7 p4 @
0 a/ l. A {9 j__________________________________________________________________________/ U4 G( w, x# H* D9 a
$ E+ p# c4 g. }: |- L
Method 10
! m, N0 B3 F( \7 a& E8 n=========
6 e9 M; l3 ?: ~, I3 Q3 O2 k5 m7 v5 E, Q* y' o) @) V: v
=>Disable or clear breakpoints before using this feature. DO NOT trace with; H/ l* [7 A8 H! G4 V3 B1 x
SoftICE while the option is enable!!- S) C6 A9 N; d; q( Q; w& j
6 L4 C7 A) @) C0 O3 \& g; M- rThis trick is very efficient:
* ~" V+ e M4 t( ~. y; [3 Z% ^by checking the Debug Registers, you can detect if SoftICE is loaded/ o9 a+ v, J, j: A5 i. w0 E# D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: a9 y8 q7 \% S8 ]8 h- _there are some memory breakpoints set (dr0 to dr3) simply by reading their
! y- d9 S. r# P3 d/ O! ^7 Lvalue (in ring0 only). Values can be manipulated and or changed as well% Y- f0 j8 M5 C+ y
(clearing BPMs for instance)4 p3 J5 y$ F/ X* Y3 Z
* P+ G$ W$ \) [__________________________________________________________________________9 T$ a8 A$ C; x1 j) H: H* W1 q
% C2 }# s/ ]' ~$ CMethod 117 ~# u7 G" v& a* p
=========
3 a* N" y. z- d9 H# C, h9 a# u+ i5 P4 Z
This method is most known as 'MeltICE' because it has been freely distributed! V% X: V! \! _$ n8 x J
via www.winfiles.com. However it was first used by NuMega people to allow, S1 D1 d' ^' J- @: u4 y+ y1 c
Symbol Loader to check if SoftICE was active or not (the code is located
/ D$ Y6 e: u& ~6 M+ `! H/ c2 vinside nmtrans.dll).
, V6 V) o( L" _" l6 |5 q
( r& {" p' ? _# k7 R2 K( F3 B4 u) bThe way it works is very simple:
, b" n# E' ]/ k' L+ C* JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: x3 |9 K3 N/ R; a6 D+ V9 K
WinNT) with the CreateFileA API.
3 d8 t" E, w( P3 n3 @( q# }) V& x, G, i$ o; W& D% c2 ]. m9 `6 \
Here is a sample (checking for 'SICE'):
1 F! A% f9 Q* O6 S7 L6 h0 o& W
/ p/ {% o. T& ]. F# b2 IBOOL IsSoftIce95Loaded()( \0 A- \" Q$ m+ u' c) q `
{
1 l/ s# c9 S7 N HANDLE hFile;
7 {- K3 ~% i. F+ Q7 T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) z. _- ]; p7 @' M, ? FILE_SHARE_READ | FILE_SHARE_WRITE,
: N7 n% N5 s- o. x0 E NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 F7 p$ {% k' u) O$ X# q; `- i2 S- } if( hFile != INVALID_HANDLE_VALUE )
6 K Z7 s+ }! H5 E" A {
7 _0 B. k' f! s4 L* J CloseHandle(hFile);2 e8 o6 I/ J2 j
return TRUE;
4 Y# {( T3 r7 s7 r }
3 f# Q( j% X- C) I return FALSE;
* I2 d6 q6 @$ h! D2 G}2 Q) @ C6 q2 u3 X
. F; i5 r* h1 Y& M3 w5 ^; c( ^Although this trick calls the CreateFileA function, don't even expect to be
) R+ [: V: ~! Y) ?3 }% e }$ |able to intercept it by installing a IFS hook: it will not work, no way!" G- i, u6 n; b; V' M+ c* a; ^. q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% h4 l) ?5 m; C1 c1 [* b. Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 N. y9 ~7 v# ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 Z I4 G: d7 m: Z! `5 |
field.4 L. C: v, o$ {% n
In fact, its purpose is not to load/unload VxDs but only to send a ! N( T. C/ k7 J& [8 k: b7 Q: b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ u" j" H& P! D6 b9 Q" \
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! x; ^! l ~% y% Cto load/unload a non-dynamically loadable driver such as SoftICE ;-).* w2 t- ^9 o* Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ J! U# \ K: w' o/ m. i3 c
its handle to be opened and then, will be detected.
$ T. F) `( d4 Z" X$ G, a3 m8 lYou can check that simply by hooking Winice.exe control proc entry point
$ |5 X) h' R3 {; y* X% dwhile running MeltICE.
" D% W8 Y( \# ^
. r" C: q$ }" h3 `4 }" g! `0 U: H* |" s+ @- t5 `
00401067: push 00402025 ; \\.\SICE
) i6 Z) r) n: F0 | 0040106C: call CreateFileA
+ [* b' }9 a4 j& h* B* q" u 00401071: cmp eax,-0011 K5 q. |. [0 x1 O" H1 d1 U0 W; c* J
00401074: je 00401091( r5 E: H, y, [- x( k
- j& |' k% a5 m6 T2 s+ V; | c* H; o
There could be hundreds of BPX you could use to detect this trick.% g, Y0 W+ k* O9 X/ `0 q
-The most classical one is:9 K& ]" ?, V5 H9 L+ r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ ^3 u- \6 x. H' v8 N+ n( P5 D, V
*(esp->4+4)=='NTIC'8 L0 l3 n. U0 z( Y( {" h
7 p5 A. Y8 b$ H" Q-The most exotic ones (could be very slooooow :-(' Z% r5 ?6 K* b' K
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 t. u! J( x0 `5 q. J ;will break 3 times :-(
! M/ Q2 {4 ]* ?( c8 I& c% ?- z$ V$ T! {8 F; P. I' a/ b, ]
-or (a bit) faster:
) Q/ Q# D: a7 h5 K" B3 C0 j BPINT 30 if (*edi=='SICE' || *edi=='SIWV') b4 e+ C2 d( }% b R
7 ?: A# @4 E$ B. d0 T0 @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 b# t/ C) O0 l! [* M% P% r/ W ;will break 3 times :-(8 _! d1 l) Y5 R6 w1 y
+ [& c/ M" W: `2 u-Much faster:$ v& u; {! V; ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 D/ @+ N) G$ g4 s8 _9 M6 |- ?3 g) W1 Q) H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 S3 c6 Q+ }9 _5 z/ ~function to do the same job:
% q- F6 A3 S/ g, @
! \3 d/ R- @' X3 I push 00 ; OF_READ( _$ \8 n. l% a! b
mov eax,[00656634] ; '\\.\SICE',0' _2 n2 A! P. c0 C9 V5 F2 m
push eax
8 y0 x: U4 z! f' V call KERNEL32!_lopen, C6 C) t t) c/ K1 ^8 ]
inc eax3 B! a, P; G$ W) j0 B
jnz 00650589 ; detected
; ?. z' U0 E( z6 [ push 00 ; OF_READ" g; ]& G+ v' U; ]* c6 A
mov eax,[00656638] ; '\\.\SICE'1 K7 L, e% d3 F3 p& ~
push eax" ^/ q0 k+ \9 k0 ]4 s, u0 y& U: n- ?
call KERNEL32!_lopen
- k b4 ^2 V* ^7 z# I3 b9 \ inc eax: q6 a3 F/ X. z$ D
jz 006505ae ; not detected; b6 c" Q' G3 t
* t8 Z' U- H" l, ^' o7 t9 U! k7 i/ l# p6 ?! K
__________________________________________________________________________
p, i3 ]2 {1 g/ h. d/ \( t& ]4 K( r, p8 Q' v! [4 c
Method 120 n" I6 t* ]" } P) P% V% y7 u& E0 J
=========) m6 V1 |$ y9 m7 h/ x3 |5 W# k
# X4 A! b X. f) g2 `6 z0 ^ y
This trick is similar to int41h/4fh Debugger installation check (code 050 f& v! D2 u) ~
& 06) but very limited because it's only available for Win95/98 (not NT)3 [0 Y8 ]$ ]$ g, Z. c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- n* R+ P b! y% K
7 Z, v; f/ ~* M5 [0 K push 0000004fh ; function 4fh
) ?& e! m# ?& e. r( q push 002a002ah ; high word specifies which VxD (VWIN32)9 @1 g; a9 j9 y7 [- P# g0 v. _
; low word specifies which service1 Y. F/ {+ g8 h) h4 C+ S
(VWIN32_Int41Dispatch)
$ O. l/ Q8 U2 _8 n; ?( S0 y* b& R call Kernel32!ORD_001 ; VxdCall+ {0 g$ ?# Q9 \0 m5 ~4 ?
cmp ax, 0f386h ; magic number returned by system debuggers- W! \2 J. B' A- ^$ ]' h
jz SoftICE_detected0 ]# M. G1 _1 m7 u7 P6 Z7 G9 f) I+ m
7 _" j: ?) c1 s: h6 }- F( M
Here again, several ways to detect it:; R) P$ t& q% _3 T6 R! M* }6 {, u
* X: j5 C1 }! b. c5 y* c$ P+ ~
BPINT 41 if ax==4f$ L2 v% u$ a/ Q8 j; W$ w: B
+ X! Z9 U& O) C, l6 M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 h# L! Y! q- G" z4 Z$ p
' E$ f, T# A3 S0 P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& N6 v. p7 E" y" w, R
# C. @' L y! f0 }% Q# u! G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% h' }% M0 N9 a# z0 K
% j- \+ h- ^! R$ V" j, @' B$ i__________________________________________________________________________ ^- V4 u* q$ x `* O1 {
* z4 w0 @6 A e9 V, u
Method 13 y+ z8 R& L/ Y+ I9 J) g: {2 [
=========
# {2 b9 u7 r0 P' K( I# g/ k7 K' _1 W( Z# M) F. ~: v
Not a real method of detection, but a good way to know if SoftICE is5 B7 e& P) c, q0 x {1 _
installed on a computer and to locate its installation directory.
* k9 Y+ l+ y g& RIt is used by few softs which access the following registry keys (usually #2) :
$ r0 c+ q0 d3 E W* m: ?
: J5 N( J/ u3 X6 x) R2 Y7 Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 t O) u" _( @# r: m; O3 }\Uninstall\SoftICE& W! c* A' c ]2 z: t0 I! Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 Y7 }" E! c. ^6 }+ Z& {( {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 N1 B/ l8 z* |: i2 l8 Q: p\App Paths\Loader32.Exe" }% o! X, Z6 a2 P: _! n2 j! m
+ E- B2 |; a6 J8 Q2 y; w
( g1 Y3 s0 Y% A! e' w6 ]Note that some nasty apps could then erase all files from SoftICE directory
: Y0 s0 c5 c* m# |" I+ J$ w* K(I faced that once :-(& m7 K, @7 H! M) D9 p; i
0 @2 g; [% G2 X. O' AUseful breakpoint to detect it:2 O6 `( b; a) I1 `; w
' U7 L' e& D9 e% p5 s6 o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% J9 \1 f8 s6 M- Q' k) ?, |; N
6 P7 K% Z! x1 {6 f% c; l' y__________________________________________________________________________/ d! Y0 y u3 _; k+ ?
|4 U% v6 t- r( ?6 X# `3 d% g3 A! _# V4 M8 ~
Method 14 ' q2 k: g/ u. M: l. c( S! r q
=========- W3 T6 r" v$ D0 P6 F* b" }
9 \0 w3 I; d& XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" u- ~* A1 [% Q- G9 Z& Zis to determines whether a debugger is running on your system (ring0 only)." s" ~0 Y% B4 j! A) ^& V2 W
& _, k) X! ?% |# t
VMMCall Test_Debug_Installed
- i# z8 T- S7 b2 N0 R8 r4 a je not_installed
' s8 L/ |4 z) E/ D; k
: K: X9 n4 B0 r% dThis service just checks a flag.
k% N( ` k) [ M2 K</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡