<TABLE width=500>
# v: Z" X9 B' r. R: }2 q' h5 |<TBODY>* u( ]" ]% g/ h4 q! l
<TR>
7 p" U1 `% U* I( A0 u: q<TD><PRE>Method 01
, ?/ g9 {: r5 _6 p, L2 K- c=========
4 k0 e/ v) z7 p) D: U k( C Y
9 P( B- h& T# d; dThis method of detection of SoftICE (as well as the following one) is$ w. |2 {+ v; y: _' m4 i
used by the majority of packers/encryptors found on Internet.& J; o. G9 S8 S
It seeks the signature of BoundsChecker in SoftICE! F0 a$ [/ w# ~2 X" N
# d) r6 I' M0 k" G5 f! n) u# |0 m mov ebp, 04243484Bh ; 'BCHK'
8 g8 v$ R, p& J( b# K/ H. J mov ax, 04h
) [1 ^% y7 }9 \+ D z int 3
( k" q5 O; \3 d1 ]7 t2 _ cmp al,4
. Y& o, E+ W9 k8 I3 V7 i3 s1 r6 @ jnz SoftICE_Detected
$ p: J2 x: T% c/ d
$ _5 M! M; j4 W" h% K D/ j___________________________________________________________________________1 d& q4 t% Y5 _& M4 f- s) R
' G" g& M2 ~# ]8 Q( N" q' ^Method 02
/ h& e1 e5 d; R- |& g=========0 e/ L2 g T4 R4 m; z# N* }. q
! c1 H; I7 n( M% E* x
Still a method very much used (perhaps the most frequent one). It is used' d' R; S# ?$ l% E, v0 G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ } g- J( I" k' a' q) P0 mor execute SoftICE commands...
9 f5 h4 d, Z9 `) H# W2 EIt is also used to crash SoftICE and to force it to execute any commands
$ |; f/ K( T; d8 [" n* j8 ], H* y(HBOOT...) :-(( ; O8 G8 w4 \3 c9 f+ \* N7 ?( W
0 f+ R+ D& v5 x" U5 Y- I
Here is a quick description:
1 a1 Z+ ^! ~+ m& b. A' |-AX = 0910h (Display string in SIce windows)
2 @; b T; r& b, y) r8 u' E-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 y( p' ?- [+ g% i
-AX = 0912h (Get breakpoint infos)) B8 S8 T/ K$ F2 T/ b. ?
-AX = 0913h (Set Sice breakpoints)+ @% ]3 s. ]' P4 R! K J
-AX = 0914h (Remove SIce breakoints). @( T5 M( h+ m9 }
/ N+ n( F8 D4 I& k4 A
Each time you'll meet this trick, you'll see:/ i4 u; W+ e+ u+ n
-SI = 4647h8 y, d8 r U/ p5 r7 z
-DI = 4A4Dh8 H9 p8 f# ?: u" k+ c, b
Which are the 'magic values' used by SoftIce.
' \& j9 L9 a8 r2 CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) H7 @+ K7 Q1 G& Y9 c
9 s3 [2 a6 g- Y& M# O Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ w' L, z! L0 g& i% |Envelope utility use to protect DOS applications:% O. V' T9 m2 n! H% E
5 x5 m1 m/ M; ?* a# S! D
' E8 |& P5 f/ o. d& F& r* ]
4C19:0095 MOV AX,0911 ; execute command.
& W: y# g! F& d. n& a( u1 ~; M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" G" U$ v$ @* U4C19:009A MOV SI,4647 ; 1st magic value.
! s$ [+ n7 ?* F4C19:009D MOV DI,4A4D ; 2nd magic value.! E6 M9 d) X2 I& L. {) L$ e6 R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' W0 }" O6 W( d$ u2 L r- D! K! D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- i" ]1 i6 r9 t% E7 z$ f
4C19:00A4 INC CX
" e/ @* a) b. r+ R$ i" V2 v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& \+ R: n" ?. i+ c% T. \4C19:00A8 JB 0095 ; 6 different commands.& n+ j0 |! w0 |! B. v
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& x* |$ m1 \! R5 _- j! U5 l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: B, ^6 Z$ {# X
0 t. U. i( g. Q2 p3 @! s- FThe program will execute 6 different SIce commands located at ds:dx, which
8 M$ R# N0 Y8 [7 h( y1 x% W! Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ W* z1 W2 y% _; ]
/ m f3 @# I* e* A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! N9 T2 C( C' h___________________________________________________________________________
]3 r, D' B5 Q1 ?+ k4 G6 H, o+ o" b
, N3 u) O( j& qMethod 03: v R! @) N8 B( g1 L+ a
=========# D" f& Y, a% S
( z# ?) K& y0 l$ V2 p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 O9 o! ~9 s1 H# o' k: J(API Get entry point)
6 b) e$ x, z- y; ]; B5 |2 s# K# M 2 v: q7 g! U5 M, R& d
+ n% b0 {' l* [ xor di,di
3 J( b- |) T+ | mov es,di( \3 b1 R+ @) q4 A3 e" E# L0 M q
mov ax, 1684h 5 Z3 b. G! V8 p, Q$ \. t
mov bx, 0202h ; VxD ID of winice: F- D) H4 P: }6 a0 [" c+ f9 Y" ?! Y
int 2Fh# R7 W, h3 I% B5 C F- ^ h, h, x
mov ax, es ; ES:DI -> VxD API entry point% y2 j% D/ Y# K9 f+ k1 E
add ax, di
5 V9 o# d. r, E+ ] test ax,ax, B s/ l7 m* a
jnz SoftICE_Detected
' e7 E* @$ N; N; T, E/ b* S0 x
! N% B y2 Q3 F. L4 I$ }___________________________________________________________________________) m1 I6 B) A1 [, M
$ w, \& ?7 o4 H. T7 F- ]Method 04
+ O$ W$ Q$ W+ `4 n/ S=========
1 R, A- r, I( I/ Z# T) z: u
, I# e. D7 x5 D; cMethod identical to the preceding one except that it seeks the ID of SoftICE& P$ b" f$ x7 W2 G2 p" U
GFX VxD.( Q' ]8 h G6 E3 f& i! }
1 h* q& N; X7 U2 X xor di,di( T9 D# W/ D" c! L1 L7 r2 ^; Q( h. M
mov es,di: m; F# [4 \- r' b% q( l* N
mov ax, 1684h
. Z/ n! {9 W# P& O; \ mov bx, 7a5Fh ; VxD ID of SIWVID
) ^+ \) O R; A5 T& D; j" {( }# C int 2fh6 k1 _1 p8 m# A+ f# a2 G# h8 h
mov ax, es ; ES:DI -> VxD API entry point
1 ` }1 G, y0 E5 r. m) A- F add ax, di8 x. x% A4 C% g1 J4 h1 w0 `- Q
test ax,ax
3 E7 @" w, x$ V/ Q5 F; B jnz SoftICE_Detected3 \. j" f5 O# U$ y' `1 U( t/ Y
& C( I* _* E$ l% Q$ N__________________________________________________________________________: G) n# A p( ^9 u7 N, X8 G w4 t
+ d7 _/ I( ~1 f2 H ^) x& e2 P- f
; S6 Q Z0 B+ ?! x( j% {
Method 05( B- w2 v. j6 \7 c+ J$ Z
=========8 c" h" @' N0 H2 g5 W: L
1 m6 c1 @. H$ M$ Z- e
Method seeking the 'magic number' 0F386h returned (in ax) by all system$ ]0 D$ b6 n5 t( q e+ s3 \: b
debugger. It calls the int 41h, function 4Fh.
( M* w0 x& k2 h0 RThere are several alternatives.
& j4 u* w# H4 g8 |4 d
; p. I8 P+ w a& aThe following one is the simplest:+ n/ \7 E9 ~6 M2 l+ b2 [. Z
$ G/ M8 N( Y- W6 D4 j5 M
mov ax,4fh
( a6 Z9 a- V5 o( b' j# H0 M, f int 41h% Q1 v/ e' z2 p5 p1 O- E% b: n
cmp ax, 0F386& I* P8 Q; b6 ~# c4 U
jz SoftICE_detected! s( T5 z. l$ n- U# w1 W# R
8 b1 m4 m8 N6 @/ S; U& A' n9 m) G
& S6 p" F. M% i8 l* V/ M
Next method as well as the following one are 2 examples from Stone's # Z0 }4 L0 x, ?. ~
"stn-wid.zip" (www.cracking.net):1 N" q J- w2 P. X* n) ^
* |0 k$ k4 |4 g* A$ h mov bx, cs- B! Q3 J0 L% N) I; s: G h5 y1 t
lea dx, int41handler2
3 }) U/ A( N y3 m( _ l xchg dx, es:[41h*4]4 S: |# L( L- f6 `2 n+ X0 Q
xchg bx, es:[41h*4+2]
6 l) K3 L( i! Q9 x3 O% p) i3 a mov ax,4fh! }' M/ T$ ?* `. }
int 41h
7 u( w- ^* z& o1 p) U xchg dx, es:[41h*4]3 x0 m( `( J0 ~9 \9 L0 f- e' R$ a0 x
xchg bx, es:[41h*4+2]( j5 S7 P: e4 M- M: B/ y! x
cmp ax, 0f386h' C; `! N1 C$ d7 w% f8 ~6 O
jz SoftICE_detected
0 f+ w7 {; ]* n. U
: K) Y$ W- D; n7 |4 jint41handler2 PROC
; s# V4 z, K( R iret
4 q# @: w Y' G8 R8 ]+ Jint41handler2 ENDP
3 i+ w3 ]& ^9 A" Q# t4 e
' x, j0 m; O; i8 _# ~: q; P" W2 \- R; u7 X8 l
_________________________________________________________________________
4 z3 y6 s( f+ l# n' C
8 a4 t# }+ R2 u1 Q: P
% i. `3 W, K+ _2 ?/ [. c; q2 ]- ?Method 064 c$ M( \8 c; J/ K. r9 O6 P7 h" X) U" l g
=========
4 L, o9 u9 A& |, p1 k8 i f' U4 r* E# B% {' r z/ d, x, w4 I$ V
9 ^2 ~2 P) a9 `2 \0 A1 K3 N
2nd method similar to the preceding one but more difficult to detect:7 L- ]- R# Y2 Z9 @
( x. D0 v; [& Q$ b+ D) a+ B# Q+ p6 y( s7 ^
int41handler PROC! z7 \/ f9 u. t7 _: A; T
mov cl,al
: s2 R& K$ [( z6 ~ iret+ c$ H* a0 S0 ^9 D" |) t/ ~' N
int41handler ENDP5 g4 c8 {# Y0 b' ~6 z
- k5 \5 Q4 Q/ N6 }! G! m
0 D3 v$ m0 z5 z; } xor ax,ax
4 w3 E& o3 L; Y$ h- K3 c4 @ mov es,ax
$ t5 ]0 Q+ b: u7 s4 R' W0 }! z$ ?2 T mov bx, cs) t6 K7 }4 I. D8 W8 i
lea dx, int41handler2 t! N) p7 G/ p) I
xchg dx, es:[41h*4]
4 S- _, A x; \) X xchg bx, es:[41h*4+2]
5 L7 C. c- k) W0 z; z" t in al, 40h
9 E3 |* B% T& | xor cx,cx7 a. j P- C/ r# \
int 41h
" T: y+ |% g; l xchg dx, es:[41h*4]
% e. n8 b# N3 a6 V xchg bx, es:[41h*4+2]
. D3 ?: Y5 D! V9 I) s) G: C cmp cl,al
9 Q3 s/ o3 x1 v {2 L9 b) c jnz SoftICE_detected
& D* L( r* v: P; f" x7 K' O- d* t! d, D$ i4 Q5 F- g
_________________________________________________________________________7 O9 @" a4 |* B5 h. M! q1 x: k
$ V6 j- a" y& Y8 O/ {. _Method 07
/ }- q; o6 [ @: l# r* X1 i7 W# ^9 R" {=========, }4 ]) U; U: V7 Y& u/ D
' Q9 p4 t% D7 b4 K
Method of detection of the WinICE handler in the int68h (V86). f4 T" W% J$ y& y
/ k$ k" M: _* s( f0 I# z mov ah,43h1 V/ Q4 N, s( g- s. }% `/ \
int 68h- `. D, s) x' k. m1 a5 @
cmp ax,0F386h
# j- {) g4 G% W6 [6 S jz SoftICE_Detected8 v3 L. p1 `5 d3 H) u, m
' k$ ]4 B: B! N4 _( P2 L2 ^9 J8 X- _- K) ]7 H+ i) Y9 p
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 V0 P8 R: M5 I/ n
app like this:. {, ]" p1 P+ }2 q7 Y" W
" b2 l- F; Z W1 u) x; T BPX exec_int if ax==68 r/ R; {& w$ ?, {3 U1 E
(function called is located at byte ptr [ebp+1Dh] and client eip is
( T; `9 `& ?/ U+ Y located at [ebp+48h] for 32Bit apps)
3 g' j5 }9 O" B" A2 b. [" O__________________________________________________________________________! O: O5 d- D1 F) r6 s- \! l
3 w' i; @& G' S
$ @7 A5 m: ?/ a5 r( F( ^
Method 081 O# F; V% S: l5 _9 X
=========* t" A5 n1 V/ r" F! g+ A
: d! _2 a2 F( MIt is not a method of detection of SoftICE but a possibility to crash the9 q1 Z; W% A1 d. g# N2 n+ V! d
system by intercepting int 01h and int 03h and redirecting them to another* d5 ^* L- y2 X3 h
routine.
/ p+ y3 _7 q- @( P9 V1 PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 _0 c1 S' E X" b4 dto the new routine to execute (hangs computer...)' W3 J5 g! ~4 ]3 K, w9 V
) g) S9 s9 R% C; a1 ]1 p mov ah, 25h0 ` z6 J7 f2 K/ I+ }3 X
mov al, Int_Number (01h or 03h)
; f1 a9 M6 _4 p: q mov dx, offset New_Int_Routine
* g3 h/ x" S$ [& k' f/ x4 A3 a4 p int 21h( c2 R( G' A( R; b
/ k; S( c N# y* z- z; @9 s__________________________________________________________________________
+ X( A# [) t$ u" V$ ~. |7 m, Z" }: g. j
Method 09
" h# E6 s: I. J) ]" Y=========
0 n! z/ @" |0 v$ i$ U
1 `8 n4 K( N' sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# H/ r, r6 {* u* ^performed in ring0 (VxD or a ring3 app using the VxdCall). D6 A3 ~: o( s r/ H
The Get_DDB service is used to determine whether or not a VxD is installed r; l/ P1 Z5 r( C7 @/ Z$ |
for the specified device and returns a Device Description Block (in ecx) for
( P0 S- Z$ ^9 Z( o, \5 Wthat device if it is installed.8 w# J8 J8 x# }# U! t* ]" ]
/ s2 O0 J* I' ^4 h: \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& q% C6 W1 y; v2 n: s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* Z7 t( f: l* q$ J3 F
VMMCall Get_DDB9 F2 S6 H7 t- l# D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" K7 Z0 w" {- z& a3 R A
5 f. c( ]- T) G$ y. V zNote as well that you can easily detect this method with SoftICE:
/ h$ ^& i% ]- n bpx Get_DDB if ax==0202 || ax==7a5fh
. J/ i$ y, c& U D/ {
( l+ X& M, }& h% y# M: Y__________________________________________________________________________" U" Z" X x: r$ Z# f" {$ o
% u4 z! f: }8 G% f- O7 t
Method 10' P7 N0 |0 n# {' X5 l& B: o6 V
=========
& E/ c# t9 N+ D- a- [, J; K- {1 Y; Y5 R- b
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- A" j$ U! N1 D/ N4 N SoftICE while the option is enable!!
; ]' I* F2 j% E! \4 f2 l0 t' b$ t. H0 {8 {0 K
This trick is very efficient:! M, s* I. n+ Q) R# G, m
by checking the Debug Registers, you can detect if SoftICE is loaded
; `: J6 j9 ]; D: K6 C(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ H9 I4 p* L' y0 X2 H$ q; f/ bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
' K: v [) X# X4 N, h( f- Lvalue (in ring0 only). Values can be manipulated and or changed as well1 S6 o% [* f; i- H: G
(clearing BPMs for instance)6 d. p- n: D) T! c
: F: k% I% i8 m7 i5 O4 p M$ g5 A
__________________________________________________________________________8 A. [; Q2 I# x
* ~, k7 S" B; a4 b
Method 115 z, _+ k1 n% f3 i- A
=========
: ^5 w$ a5 w. a8 q% w- j
6 ?* V' D7 b, ~6 s x) u0 JThis method is most known as 'MeltICE' because it has been freely distributed
! |: c1 O7 W( Z: a7 [$ A6 Tvia www.winfiles.com. However it was first used by NuMega people to allow
2 R$ Y' N8 t4 v# SSymbol Loader to check if SoftICE was active or not (the code is located
' }, L3 Z% t/ Z/ c6 q/ {; K3 T6 Rinside nmtrans.dll).
: l3 ?) N2 B. _7 Z& ?( o4 y0 v: t5 r
The way it works is very simple:
# d; a5 G7 l9 G; u+ W6 f9 k$ gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( B$ w. p! ]! O3 L6 a" W
WinNT) with the CreateFileA API.+ l5 N# P4 t# r6 h
6 g7 K. r: G$ D- U% n3 H; ZHere is a sample (checking for 'SICE'):
2 g. F' Y1 @4 ^0 H2 k! d; `9 F8 R3 ?! ^# m
BOOL IsSoftIce95Loaded()) d6 F. L. j1 i" \' T
{9 k! K% a2 y n0 b
HANDLE hFile;
5 h' U* R5 c" B- ` u hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( X' M6 G0 C8 @, R3 s5 x
FILE_SHARE_READ | FILE_SHARE_WRITE,* O8 _6 v/ |! n1 }6 x% g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; D5 I; i% t/ g# X' H if( hFile != INVALID_HANDLE_VALUE ); n: N5 i8 y8 Z
{
6 d: }$ O1 a& V( g" z CloseHandle(hFile);
; U, J* s5 X, }) K" R+ O+ E return TRUE;7 [+ J; Z5 G+ D* U& E8 m5 h1 N, D
}9 C9 j: g/ k, A/ M
return FALSE;- L: B" ?3 u) B6 ^: Z
}( x6 r% [! n1 p9 j: |
% k% O4 N" s s2 z' ~& b4 ?Although this trick calls the CreateFileA function, don't even expect to be# G* d# G Y% r& E( f a+ e
able to intercept it by installing a IFS hook: it will not work, no way!9 A- z k+ o! l- m, E1 T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ Q# e) u1 o4 ^3 k. c) a4 S. D
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: \* z+ U7 N& c- e; t. zand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 k1 N) E! g3 a1 {
field.
& x. |1 V+ E* J# ?In fact, its purpose is not to load/unload VxDs but only to send a
8 @* d: W5 k% K; ^) N; _$ QW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) y% T, [- p4 M& q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# x. ?% ?& G7 v" M; Q1 T
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 b: ?! _$ N9 T9 P3 X1 TIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ H# ]1 o" T9 O. @; qits handle to be opened and then, will be detected.
' G: s; ^6 x0 RYou can check that simply by hooking Winice.exe control proc entry point+ ]8 Q+ s& }$ c! s
while running MeltICE.
/ u7 h9 K! A Q: g& `' h
5 Q5 ^$ K0 @4 A, {2 e/ |, W- A0 b% d3 {+ G
00401067: push 00402025 ; \\.\SICE9 `- r: U) m/ }
0040106C: call CreateFileA
( Z# G% `3 p( k3 O# k, ~ 00401071: cmp eax,-0015 K# }! }: t* B F- c! i
00401074: je 00401091
3 @% E6 w. d/ u$ D
0 M/ ]8 K1 M6 X& S$ q6 F3 `5 [2 P# F& s, O
There could be hundreds of BPX you could use to detect this trick.* b5 Z) O" h% B) | y2 N
-The most classical one is:
' @8 W: ?: [+ i; I+ ?+ m: K( t BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; Y# J2 _/ X3 P% E9 [( h3 i
*(esp->4+4)=='NTIC'
0 u. Z( X* F4 f0 y( }; w- T2 q" k' n( W+ K! l5 N
-The most exotic ones (could be very slooooow :-(* ?, [0 S6 g+ ^, J f1 S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ W* D n% l4 B ;will break 3 times :-(
/ G0 c( n* u4 h& h5 R3 r3 {$ H6 O1 m) G4 d" C5 B( C' x* |: v6 o
-or (a bit) faster: ' u2 d' A/ Y* I p4 o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! Q' r( V* q: B* M7 w" ]
0 T# b& \! O+ b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 W$ u- S3 g* i& s
;will break 3 times :-(
! T4 W+ |: O% u' L$ a% _
+ a8 |2 N7 ]9 _& G- R. q4 q-Much faster:
& l9 @3 Z7 V( c. L+ x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) L7 M& k- R3 o" |. W2 k* ^) U+ p, D9 U5 f1 W1 Q# \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 D) p0 y+ l/ D' D" q. v* W
function to do the same job:
* _+ U+ j3 Y* h2 k/ C8 b) j
; b8 a2 m8 O) w, X4 N9 N push 00 ; OF_READ
7 h$ M$ r( i" h' ^! A* J9 E; E; n' W mov eax,[00656634] ; '\\.\SICE',0- l7 n- ]/ h u3 ?
push eax
% W2 x3 E+ v! d8 _* f/ z call KERNEL32!_lopen
6 K5 l6 N1 S ?' `1 C inc eax
7 x N$ [" _! X1 {! a( i. d jnz 00650589 ; detected2 J. V: c; f( }7 |, u+ q: W( r
push 00 ; OF_READ9 Z3 L' I2 W0 I$ r- ]3 @% H0 A0 M2 b
mov eax,[00656638] ; '\\.\SICE'
& t" ]+ [+ i5 U3 b& d push eax- ~1 ~& Q7 v3 {+ ?: n
call KERNEL32!_lopen3 \. _& G' k$ b! V2 W
inc eax' G/ t9 W% b( l" T! l$ c D$ }
jz 006505ae ; not detected
* G+ U) `) d* m5 M& ~8 j. Y0 L* D2 p' S4 v% M* ?
0 Y" S, _# Z& y' c9 d
__________________________________________________________________________
& k$ d' T4 q3 E
! P- C" D: k4 s) ] I: [Method 12
y2 y6 q; v$ t0 v( Q4 E t========= k+ v+ r0 A% L5 V2 j
& F Q2 e' k) ^7 ^& u
This trick is similar to int41h/4fh Debugger installation check (code 05* N( I8 O5 [/ {. y# Y
& 06) but very limited because it's only available for Win95/98 (not NT)
; J4 r! a5 p! K- aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 M8 w( o& P8 j. B4 N: A0 D. @1 e4 u5 x) [) ~5 E
push 0000004fh ; function 4fh
2 b2 `/ K4 c0 i" [* Y" J. ] push 002a002ah ; high word specifies which VxD (VWIN32)1 Y& d) p! \/ l# F) R. b
; low word specifies which service
+ e- t m" p Y$ A# ~- U (VWIN32_Int41Dispatch)% c6 V* H1 M! K1 z# V1 v/ F# C5 g
call Kernel32!ORD_001 ; VxdCall
3 p6 k# P" w/ T& }$ R cmp ax, 0f386h ; magic number returned by system debuggers
+ r9 l; ?* j4 |2 Y( l4 m2 ] jz SoftICE_detected. t9 b& _+ V, U. [& _; g
3 U6 z% }9 X* S! `! F) ]+ T
Here again, several ways to detect it:* X: @. J: | ?+ r f8 b
8 k- z, d: Q9 V0 J7 t& U
BPINT 41 if ax==4f
0 I- k H( F4 K/ ?4 w; n. Q) \0 ]. i% x/ R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; }+ L$ K5 i2 x( \# K
' j6 r1 p1 Z: s" g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! ^) u) ~. d% e% u. a
" n v1 R: c. K. n1 q O" v* P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* b1 A3 q4 U, d, b+ [* E/ \8 R. q5 ?5 v7 G2 y
__________________________________________________________________________( o: W% v5 Z! F. \" J0 |( w0 y
. G& _4 [* ~5 h0 G
Method 13
6 J1 g, `) W# [) X" |=========/ s- |( g2 F1 {& C0 i1 h
9 N0 g+ O- C6 i6 T
Not a real method of detection, but a good way to know if SoftICE is
0 U1 c# z' M" m8 R' L6 Rinstalled on a computer and to locate its installation directory.
$ ?9 F1 ]$ D- Y0 D3 H0 N' SIt is used by few softs which access the following registry keys (usually #2) :
: b9 w+ |. v6 u9 \
( B8 ~7 o0 Q* u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 r8 C. ~; I3 h$ u n\Uninstall\SoftICE/ p1 V( k2 B4 ?' q+ c1 k$ m$ `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 r5 O/ ^% N# l L$ S% I% h4 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ H( y4 F/ x8 k, c% {2 h' H\App Paths\Loader32.Exe
; s( M. U$ ^ n/ h7 b4 y' k2 f+ a, d+ b: O( Z- B) W
/ {: j8 e0 t# m) W- BNote that some nasty apps could then erase all files from SoftICE directory
" [# \. Z$ g' C(I faced that once :-(( Q; V5 c; s4 W. t" J" X
+ s; f- q9 y+ W) \' [/ BUseful breakpoint to detect it:
) {6 ]9 B3 u& O
% ~3 y6 H: Z6 v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! w- f/ N7 j. Y- y' N& ^ T, b# K1 h/ u j
__________________________________________________________________________
- t% A( b5 G1 V5 s& N! e T1 v$ h5 q( t( ~4 f/ ~& b# {
3 ^& L @4 H3 J8 t2 T2 oMethod 14 4 n' x' G& u1 x# K* e
=========; h H v0 q4 t+ \% ^$ @( U
1 U$ z& Z) i! O$ F7 FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 p/ t% j, t- H3 l! E
is to determines whether a debugger is running on your system (ring0 only).3 G3 }8 D" i% p7 i4 S; W1 {/ w
6 F" _6 z4 S8 J! D1 v$ S VMMCall Test_Debug_Installed4 `& E6 H9 d- d
je not_installed- D1 Q: `2 b. U' R- k
, _- I; i x( ]
This service just checks a flag.% W# \1 I8 D3 B2 }& l- k& p7 \
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡