<TABLE width=500>
3 o! H5 R& |8 d8 X) j6 Y. q<TBODY>: ]) i- Y. P8 ] I2 H
<TR>
& e! J* U. D2 B u; d! T) P<TD><PRE>Method 01 4 j) U9 W" k' u( P0 _
=========
; b$ B! p9 ^, d$ O7 \) j; s7 K: }; u& _7 \
This method of detection of SoftICE (as well as the following one) is4 W% x" N6 b2 U9 z0 q4 t
used by the majority of packers/encryptors found on Internet." I6 w) p# Q- O4 C2 ]! T+ q$ x. c
It seeks the signature of BoundsChecker in SoftICE+ b$ P* z( x9 b; j- ?
2 P( m. J0 e0 A; C
mov ebp, 04243484Bh ; 'BCHK'+ K4 W, [/ l# ?/ ^. a
mov ax, 04h/ f* ^# U, R0 E. o8 u) S* L* @3 q5 K
int 3
2 k# b$ U* q! g6 O; b" Q- z0 g$ @ cmp al,4; j9 F7 L' ]2 C- m- U+ Q* m
jnz SoftICE_Detected
) w2 H( Q( ]! d4 @; v
: x8 m" Z9 J% m9 J& U4 ], c! z___________________________________________________________________________) I! x* R3 `# b! h6 N2 p
" G; k% N8 [9 y4 @/ z- F6 P
Method 02
3 N1 @0 k( D- g=========9 ~0 v- o" D, L6 w1 h b( o1 u
- |7 l7 f5 L" u! g7 \Still a method very much used (perhaps the most frequent one). It is used9 q3 o" `" P/ P8 X, i# |
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ E/ u @! S# t3 Bor execute SoftICE commands...
; U2 Q+ Y- W9 p* hIt is also used to crash SoftICE and to force it to execute any commands
- m7 J) L+ ?7 \; G(HBOOT...) :-((
& S- x) U% Q a
2 u+ b: {; L- V, P) ?8 YHere is a quick description:
1 `3 v% p. N7 L( p! y3 V-AX = 0910h (Display string in SIce windows)
* d! V5 I$ F9 a, Z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 ~" e z' n, u7 S) q-AX = 0912h (Get breakpoint infos)
: ^0 g, s) T" \-AX = 0913h (Set Sice breakpoints)
$ l; d* U8 S, x-AX = 0914h (Remove SIce breakoints)* V+ A7 c: z* n8 G% B
/ `8 V* i* o6 B2 ]4 u% M( r. A
Each time you'll meet this trick, you'll see:
; s7 I3 z- `* I* k+ l-SI = 4647h
$ N$ w9 k, u2 [$ n-DI = 4A4Dh
% a0 } ?5 P+ l9 X' s, g: b- UWhich are the 'magic values' used by SoftIce.' g6 z5 f* S9 R4 N ^; a8 G+ L! s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- G+ j+ l6 v0 n2 c4 K' P
/ j* k' ]% p7 Q- B! b! t; ^6 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP- N7 @% W0 q0 h6 r, \% I2 [4 J6 G
Envelope utility use to protect DOS applications:
) P# X# g! Y% I! O) s
" {) u3 N' e" ^7 K$ {5 t) o0 N: x( O$ o/ r% Q7 s+ V
4C19:0095 MOV AX,0911 ; execute command.
2 |& L8 L+ K0 ]$ e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* z! Q" n: Z/ m) j
4C19:009A MOV SI,4647 ; 1st magic value.
7 y0 u3 a* y( T+ F! y3 m( S* A4C19:009D MOV DI,4A4D ; 2nd magic value.
- [+ u8 W( q+ e" W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' O1 @. ~ S( t4 \; k9 c! ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 p! E% q+ s+ [- |- |4C19:00A4 INC CX
7 d2 o, e ]8 ~( S/ T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 i6 D, n4 [- x4 g
4C19:00A8 JB 0095 ; 6 different commands.6 o& ^% x+ t/ A) m p2 S! D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& {; Z" F$ n8 l: L4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% E! Z! h7 P8 K' r1 C' ]% f9 F5 F1 l0 B
* V9 @+ v) z) d, a% t; CThe program will execute 6 different SIce commands located at ds:dx, which
3 p7 a3 H* E" t/ I {* y9 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% P; [: `7 u+ W4 d
" }( p8 K4 \0 k' s6 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. d/ I( h( ~9 ]3 h K4 P, @___________________________________________________________________________
" ?4 A& X& R" X/ O! D
; t4 x2 y' r) C' R, b6 Q" M4 m1 b- l+ m
Method 03) m1 i9 C+ ^' s. \
=========7 I: B0 _. b1 B/ B$ ~% y
3 B* {. a! H! N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; W3 p- q) n# Y5 B(API Get entry point)
& n/ s1 q& \, B; Z 8 A2 J$ d: D8 v: _" i% Q! _
/ x5 l/ L( f y: p J
xor di,di8 v/ g5 L4 r- G; e9 v
mov es,di
( `0 l! d( E/ p mov ax, 1684h , F* t. x- g- Y ~1 Q& ~. m& M
mov bx, 0202h ; VxD ID of winice
# L& l. x- m8 x int 2Fh0 S9 _ T( X6 D3 ~, @- u; [2 ?* O
mov ax, es ; ES:DI -> VxD API entry point
3 p/ U+ Y( x' s# s) n5 h G5 \ add ax, di
2 h/ b$ f3 [9 U6 u% o test ax,ax
2 Q8 S7 s: ^4 @, t/ O$ d jnz SoftICE_Detected+ E4 H# ?2 h2 p7 R3 i, R
' E) `- o c/ I% @, t5 g, \___________________________________________________________________________. p8 |# f0 y i3 N6 K) `
) J9 k ~* b6 U. q, b( Q RMethod 04* F, _8 y3 P# R, E% S
=========8 }/ e. j2 b' v- v- e1 x W
* y; k5 w$ y$ r, WMethod identical to the preceding one except that it seeks the ID of SoftICE7 Y! ~* u9 [0 _# Q8 N
GFX VxD.
# c& h! _( w3 o/ S. u+ R5 \! z" O/ D+ @: K% E; {; p$ o7 m
xor di,di
! M; ?* E( c. |3 l8 o& v mov es,di' E1 J- w4 [/ u7 h! s, `
mov ax, 1684h : I3 k4 i9 Z% E" U' V
mov bx, 7a5Fh ; VxD ID of SIWVID
9 V5 `0 `+ @. v/ n int 2fh5 z. F+ P. O; S
mov ax, es ; ES:DI -> VxD API entry point6 E' g" O, Y# H7 C0 F
add ax, di
+ X; b# e3 ~0 K" }/ j$ Y1 E3 _ test ax,ax& D+ n r: M( p' e4 `5 _
jnz SoftICE_Detected
$ i! {6 ]5 a7 e) t# N( K* |5 @
$ }; Y* H0 F4 }- e% p, i: q__________________________________________________________________________5 p9 V3 `) s" i/ k
: Z+ x+ P) L, q- A' x) x; {1 `0 T# a3 r" F% u \
Method 05) N6 d; J# K. K
=========/ ]; E, s" n/ Y& V
( T, ]7 p \, n! N* q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 N1 R# }6 w7 vdebugger. It calls the int 41h, function 4Fh.
C4 ~( D5 v& M2 cThere are several alternatives. 1 H, [1 O! m5 \8 `3 Y
4 `! o% X" r5 C" x. `2 S( R+ J. P9 ?The following one is the simplest:+ G* A0 \# Q6 }( a+ J
- O9 ^4 w2 ]$ r" a) Y# c mov ax,4fh a: k ~, Y0 j1 F- a
int 41h
4 O! |6 G& ]# K! P& t cmp ax, 0F386' h4 ?, d" k( {5 A
jz SoftICE_detected( N( u+ h/ {& b4 S
2 E* M8 z/ U- ~2 i' r6 I) u; k
' s% ]* u4 |# ?% }: _) w; JNext method as well as the following one are 2 examples from Stone's
! s s7 g8 a2 j, O7 B$ l2 I3 `"stn-wid.zip" (www.cracking.net):5 l0 e$ |, {* Y# J+ t
# U$ N, F5 F6 W$ J6 g% i2 ]
mov bx, cs
+ N, V! U. E# T' G5 b) y& P lea dx, int41handler2
8 K. m) g7 |" d+ p xchg dx, es:[41h*4]$ Q9 O9 g' @8 L# G
xchg bx, es:[41h*4+2]
# Q3 _/ e$ \8 q: B) c9 a+ ` mov ax,4fh: h: q& F% c* _* s$ s6 r
int 41h, [ W2 P" X6 e( B# s6 d
xchg dx, es:[41h*4]& c4 v% {3 x8 ]. Q3 o
xchg bx, es:[41h*4+2]
# p# c1 E/ v9 n+ L. n/ B cmp ax, 0f386h
" M3 ?, e8 A v7 z4 i$ | jz SoftICE_detected
, Q1 A. q2 P' I( @! w1 J+ n( w6 c- e+ U: z, N, A, B8 h
int41handler2 PROC: ~; h9 V" I& x
iret9 Z" @7 ]+ {3 t% d. ^8 N* c' ?
int41handler2 ENDP
+ i6 z) n2 h( K# y: x4 y; k
G( l- ^) u7 D. J. W0 X% F; w% T& N v5 D* }4 r- p
_________________________________________________________________________) t1 A. J% h. a) o2 C3 W, k1 w4 i
: j' J: i/ g; H8 R
/ M+ l; n+ Z3 J6 d4 zMethod 06
. ?- |. B* P( K=========* {3 B3 A: Y5 R6 ?# w
8 V8 Z: N. {( p( V
- J0 h$ T4 D% k' D$ ?: |( `+ u% I2nd method similar to the preceding one but more difficult to detect:
- O( f: v9 N, K+ J7 q& u) b" Q3 `$ x* f( {
- X4 \* O. y) J, x- \: i" oint41handler PROC$ W1 r! Q2 C- E( \. @) _
mov cl,al4 L e- I9 ]6 ~6 A7 m9 {
iret
! ]& q/ U v2 [7 G6 sint41handler ENDP! o1 \9 n% ~3 ^' v7 L% e
( N; J% _7 ^: I
% c! ~) j: w) g xor ax,ax
2 D& v4 w+ R* F mov es,ax* J& F9 y0 C6 e) b
mov bx, cs% ~( m! n* ^( |% F. `; q
lea dx, int41handler
& V% i5 U" o# `) [4 Q xchg dx, es:[41h*4]5 c& W6 C/ A1 d; N; ~" R4 c- c
xchg bx, es:[41h*4+2]5 q6 V$ [3 @. O( s' r
in al, 40h
- ?4 {2 K/ P9 S$ H: I xor cx,cx
3 P1 X. X( _ G) r int 41h2 m5 W& L% e# r7 T
xchg dx, es:[41h*4]' M4 V E& A5 e( v+ }: C
xchg bx, es:[41h*4+2]
6 ^; c, h5 x u$ R8 u# F' l cmp cl,al9 j1 s* t& E( u# i7 W7 Z- h# C. c) Y
jnz SoftICE_detected6 q! _2 T; }6 d+ D: N% v4 ^
& N( R! D }( o; z! O4 V_________________________________________________________________________, Z) B/ R# u+ H7 E1 T3 d2 A
q6 I( ~. A* D% W( M qMethod 070 J! j. _; |* r
=========
, x1 B, e4 L3 A1 m+ @( i% o7 E0 I7 i! [7 b# P9 L
Method of detection of the WinICE handler in the int68h (V86)0 V, L6 L$ r& q$ l9 [6 f
. y; J ]( N3 t1 c6 b( ? mov ah,43h" X8 _+ f$ |! U ?) d; m
int 68h
# P8 z g; W3 G- F0 m cmp ax,0F386h" ^2 Q% u( V7 ]$ L' b
jz SoftICE_Detected A7 L% ^) L; _
' W! e5 l( b8 `/ J
& |$ o, ]1 S( h& }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 `- m1 y# v. `; y1 J1 [8 p/ H
app like this:* p L) a1 `. p U" y7 i, ^, _ c9 s' ?
! e# N2 y N' Q1 g( R" ] BPX exec_int if ax==688 z; D; d3 q9 @6 ^; P% }$ y. Z* k+ e
(function called is located at byte ptr [ebp+1Dh] and client eip is9 W( i3 N- s4 `1 Z6 ?+ E! h
located at [ebp+48h] for 32Bit apps)( T: e' X4 O; h6 f# q/ L
__________________________________________________________________________! Z$ l* G# G1 k2 X
- z& n3 p0 ~: m7 ~3 Y, k# ?
( P$ f, Z I. H
Method 08
+ c* ^! Y) P3 b5 G0 S- q=========
# ]. W+ O5 ^3 s6 \' m* E" B& Z. t) r4 {4 F( x& q; l# C% M
It is not a method of detection of SoftICE but a possibility to crash the# A# h4 t: T! @- v0 E
system by intercepting int 01h and int 03h and redirecting them to another
* d) f" h$ J3 N3 Q8 W, o$ Nroutine.) b& q/ l" B) G. ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ t" F8 C5 F/ F- B0 ito the new routine to execute (hangs computer...)3 n# B, J+ F& | l
% O/ i; d# S7 P1 N" N$ F
mov ah, 25h/ I8 t+ B# {. ~" w2 ^, @
mov al, Int_Number (01h or 03h)
7 _1 x1 r, f2 r0 t% Q1 I) K% x mov dx, offset New_Int_Routine
7 J9 e |/ v/ o" l int 21h& T- ]" L" w+ L/ S
7 G* |2 T6 e: ~( u; V! I7 o/ ^" {' [__________________________________________________________________________- l3 ~- Y* P3 n; Y) U
, j$ e& J4 ^1 S7 c8 m3 ^1 }. L
Method 09
1 Y' _. O( Q Z=========
! ], H6 c5 u" R" F. V/ z" \& }# o$ W$ f p, X0 Z8 I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 e% n" x. ] |3 D2 j3 K% p4 x/ H* u
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ a+ k7 ]/ R( Z, q2 t% ~The Get_DDB service is used to determine whether or not a VxD is installed5 f, G3 p8 [) ?! I
for the specified device and returns a Device Description Block (in ecx) for
8 k, e$ N4 c" a$ w p' V: Xthat device if it is installed.
+ A/ t9 w6 p8 k2 o. e6 {+ q# [
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. T8 X% Q& l0 v3 Y8 j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 k4 O) l) b' [8 K VMMCall Get_DDB
O+ B m X; D: N/ ?" O9 d/ s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! O8 ~/ v- [1 Z$ Z R p: S9 Z/ r+ C
# f* r6 H' S) \- ^* }4 C wNote as well that you can easily detect this method with SoftICE:
( V7 f$ _1 z b9 M' j- K) G' G) C bpx Get_DDB if ax==0202 || ax==7a5fh/ D2 h& m2 A6 u0 ~2 r) ?" y
. b; Q+ X, T! s% j& n8 ^1 @- I__________________________________________________________________________
- N) u6 C% X+ B1 t' X0 z/ e4 u7 A
Method 10: V$ M4 _' H/ d+ n* b( h# l3 ?
=========* d: X# X1 Z9 z, d
/ H7 k, z* _5 n
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 k0 K8 G+ g9 S* M( u
SoftICE while the option is enable!!
$ T4 K# d+ A! ]7 W- o! l
, Z8 `. `9 A& T/ b* t9 v8 T; x5 IThis trick is very efficient:* A9 F! K) X5 ~- b. K5 V& W
by checking the Debug Registers, you can detect if SoftICE is loaded
9 |: g- g# r5 S @& B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 v, x( C6 c z d
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 ?. z( B% X, m+ O2 q2 dvalue (in ring0 only). Values can be manipulated and or changed as well: t" D7 o% H$ G; A
(clearing BPMs for instance)/ C( g/ N9 ?4 l B8 E, e# X* L2 _
. B3 _$ `. c, f$ K& [8 {7 T. D) A/ B/ Y" t
__________________________________________________________________________
. s E8 q# V$ J7 u9 o5 L0 O+ W6 ?% X# a5 j8 D3 \) j ~( @
Method 11. X0 |3 b5 d5 i; q0 s- n$ ?# ?
=========
' N: S4 H2 E0 K3 @; T. B& p- B2 }; j$ u9 u3 R# L$ c2 V, d6 }$ J* i% s
This method is most known as 'MeltICE' because it has been freely distributed
/ r1 P1 M- a, t, {" Zvia www.winfiles.com. However it was first used by NuMega people to allow
: t' G% ^. u# M1 {0 G$ q, [9 z. HSymbol Loader to check if SoftICE was active or not (the code is located
9 } h3 q4 u s, t0 einside nmtrans.dll).
: [, E7 N% C M& J% r! b
7 K/ |% J7 E U& I& DThe way it works is very simple:
. V% w# N3 N9 z( j. C; H! lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% F2 B M! F- e1 R+ Y% u# M
WinNT) with the CreateFileA API.! `3 ~& y/ b5 ?6 Y1 K
3 I& W) K# v$ [$ ]Here is a sample (checking for 'SICE'):, `3 i2 h' L9 [0 s" b
# c: v0 N1 Z9 U6 K; C5 m' _: Q% h
BOOL IsSoftIce95Loaded()# Y3 [6 d3 O1 Z% W8 m, R1 ]9 R. L
{
4 @* O. `! V+ W# i% t8 y HANDLE hFile;
+ j( v$ U* `3 N$ l. m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* n! Q: s9 \% p3 `* Z' ?% q+ K FILE_SHARE_READ | FILE_SHARE_WRITE,/ a7 l" Y# ^0 t: P% i% j' x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: S1 \, m B8 x3 i7 F1 c" L' b' ~$ j
if( hFile != INVALID_HANDLE_VALUE )
t8 g6 s9 i+ t4 y; D, \0 g8 F {
: `. i1 } H. e1 ` z/ e5 q. W CloseHandle(hFile);" P7 F: t! ~" g) [# Q; c
return TRUE;
3 k) H3 F2 a r/ Y3 H2 K1 k1 z }
8 J* y; A3 p) y7 N P1 t- F7 X return FALSE;/ Q1 J' }) a( g! X5 p+ j' J( K
}
4 r6 r7 d4 U6 f b7 j* t& u8 f ~/ M9 B) w7 P2 t+ E
Although this trick calls the CreateFileA function, don't even expect to be
+ d/ V% N% M5 j1 Kable to intercept it by installing a IFS hook: it will not work, no way!
Z8 R3 e( Z- ]9 b, G% l3 a' x7 H; IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. f, ?- k7 F" T7 C$ y3 q0 Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. f! m# t2 ^6 q9 xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( C4 S. \# X3 \3 @4 |field., m) U, \: m* k/ }5 [! o
In fact, its purpose is not to load/unload VxDs but only to send a
) I$ H" i \& x3 \4 H$ qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% ]! Z# t5 m: J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 T3 `7 t( n, c$ k( V j1 ^; _. F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( }; t: w( d$ u J8 ~" ?3 x& [If the VxD is loaded, it will always clear eax and the Carry flag to allow' F( Z4 ?- h) _/ j* K: x. v- R
its handle to be opened and then, will be detected.4 B* M# {: r3 F9 }) }! P# v; t
You can check that simply by hooking Winice.exe control proc entry point' d; _& ^. {& {. q! t, n, y3 G
while running MeltICE.
. m! F) r2 ^' ]' k/ k! ]' h6 u# u" F, w/ ~+ s0 r0 c7 y. @* g
5 j- @* c# R: z3 \0 _$ y2 f X
00401067: push 00402025 ; \\.\SICE5 W+ [: @. a$ o- r% Y; P
0040106C: call CreateFileA
0 j) l( l Q. A, X/ `8 j 00401071: cmp eax,-0018 u' B" y, S6 w/ Y5 `; ]/ c
00401074: je 004010916 w$ S# t* {6 V H/ x }& Z
" h2 W2 v( G' |
' P! O' k9 i* {( e. B: JThere could be hundreds of BPX you could use to detect this trick.
+ ?. e" Y% `! Q3 v4 Z-The most classical one is:. I/ R' Q, c: u: G% `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. v8 r" N( @3 B4 q5 {" M5 Y
*(esp->4+4)=='NTIC'/ ~3 \. O4 s3 x! ]0 f% i$ Q: ~
" d9 S# M7 ~! ^
-The most exotic ones (could be very slooooow :-(
0 L+ X5 Y; A5 X1 A" ^; X h4 d- P& v6 j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( q& P- j; L8 Z
;will break 3 times :-(
( |& C, h3 r/ E% T$ n% o
! g* v; G- k" L; \8 h1 M' }# w2 q-or (a bit) faster: ; D, ^4 q( e" e0 K# N; }/ x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
U1 d8 h4 A9 K1 } v* f8 E9 M5 d7 m" P+ K r0 J
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * o& g; r. v) m3 O
;will break 3 times :-( @5 N% ~9 ~) R- ` \& s
. j* y; F9 E# _$ F2 U+ D, i4 O) t-Much faster:1 s1 w6 O. F( y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# t5 e1 f8 e2 @4 S! c1 `1 h% c+ Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! l) e) [/ |( p8 R0 H9 bfunction to do the same job:4 y# V* p% H& D, |
2 x* a7 g# N4 Y) K& U" ` d" j push 00 ; OF_READ `- a" X/ j& [/ `
mov eax,[00656634] ; '\\.\SICE',05 A2 o. f4 a) x9 \
push eax& p& i A4 S7 u1 l
call KERNEL32!_lopen
) ~7 C8 l/ r: I- s inc eax/ `, ?; D: b! r% d- c
jnz 00650589 ; detected" L9 {9 T- H1 g* w$ N3 @
push 00 ; OF_READ5 ?4 _9 {; ~, N( f9 H* t
mov eax,[00656638] ; '\\.\SICE'
8 g9 Z j5 d$ v( S' n# ? push eax& v) A4 k) F! L& V# A- |+ s
call KERNEL32!_lopen
3 O+ x* e7 o; @; s' U8 W inc eax
8 j% o* o& R9 F3 ?7 S jz 006505ae ; not detected
+ O5 A. O2 o1 D, v
$ j; U3 s0 E* I) h0 P
$ X, q0 A# c: g& O0 d' k W0 ~# F+ \__________________________________________________________________________) H) P& M' K" R! P; U8 S9 F: a
6 y5 R6 ^# B2 h6 s1 [' Y3 y
Method 12
$ _ D8 g! g. a8 B' Y=========
" ] m L7 p4 [3 u! k' n) ?- R
! _, n% v* _8 p1 qThis trick is similar to int41h/4fh Debugger installation check (code 05. M# ?5 H% x4 ?6 j3 c* U
& 06) but very limited because it's only available for Win95/98 (not NT)
8 Z# a4 T1 @$ }& h( m% u }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' K/ k7 W& V4 S# \1 Q0 @8 H
* ^% `5 [$ E) c {( n( i push 0000004fh ; function 4fh
& t' d) V4 a$ I& i# [4 B6 |& P4 S push 002a002ah ; high word specifies which VxD (VWIN32)
U1 ^8 X0 T- }9 Q1 ~1 y ; low word specifies which service
- [/ _$ Q) q% ~& L/ r8 J. x9 X$ D# U (VWIN32_Int41Dispatch)- Q- ^- T; F% @! n& f/ p
call Kernel32!ORD_001 ; VxdCall
6 |' G! W1 d8 Y( C9 c cmp ax, 0f386h ; magic number returned by system debuggers& V/ A y' S- C
jz SoftICE_detected J8 d; H9 K4 ?
# C5 C. Y( k& N' y
Here again, several ways to detect it:
1 c+ y1 {# u( q. S6 k
3 u {3 S7 n/ u6 m9 |" O7 O) U BPINT 41 if ax==4f9 W' M$ R1 z$ Y: W3 O4 E
+ U$ ~* u5 n0 ~8 a. a1 R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' I! z8 A! t+ c, X* V. v/ ~! n
, O$ s9 [- V: e, K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& o" [6 K3 z9 r+ r& {& Q2 w
1 q" e/ c/ m+ K. S7 E" U6 Q3 L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 D3 j- @% I$ l/ @. v
( b* }! U# ]4 c/ i
__________________________________________________________________________% P, Z6 ?: W# n
& u- H. u" t8 J* U( J$ m) x
Method 13
0 K4 x* `- x/ W$ G=========
0 g7 W# x, I& O, w
]6 i: v ^) i* x2 mNot a real method of detection, but a good way to know if SoftICE is
4 d- v7 j4 H% Z' X# k/ ~installed on a computer and to locate its installation directory.
9 u4 u, [' L2 `It is used by few softs which access the following registry keys (usually #2) :$ a' Q( I$ j: V" w% T) o
$ E0 F, P; r U$ o1 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ v) V: p" E' J7 r4 d j\Uninstall\SoftICE
- ~3 A! m- x6 r# E0 W, ]& n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 Z4 I) W4 A5 F3 v3 G9 Y% C G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. L& k. _ `' m$ t5 j( r
\App Paths\Loader32.Exe
+ c# E) T3 S9 m. L( {& V/ z9 b: Y/ e- l' x- X* k$ }: o9 N
9 I7 u' ^3 {0 m
Note that some nasty apps could then erase all files from SoftICE directory* d! l0 `8 ^& L8 b2 [
(I faced that once :-(& O- e5 A/ T: r1 H! v' |" k
" P0 [4 Z) m/ Y$ ~Useful breakpoint to detect it: p& v, e# P0 _: y8 F" x' H
8 L t" ^( V) Y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: t8 I0 x3 w: |) H* q0 q
$ B+ ~; _2 a# ~__________________________________________________________________________
5 M- b+ _2 m; z9 {9 s
; Q2 g2 P- a7 r6 B* B% Y; K7 Y( U! A/ P, M
Method 14
' F4 k2 } o1 I/ `=========
3 k- G; Y' L4 b! _- w( B$ o9 w6 c! p+ E/ {% |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 r6 ?+ E+ M! I: z, i; K/ N
is to determines whether a debugger is running on your system (ring0 only).7 f9 @2 K& k) V! q- y j7 N
1 |( S# Y. m# \
VMMCall Test_Debug_Installed0 C1 z( b$ J, w$ {3 z
je not_installed
% B) M3 k, Z; d
: }5 ^" G- l" }3 ?2 ^8 l5 e- n3 OThis service just checks a flag.
1 K( Q5 B& B3 J3 C$ r, c</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡