<TABLE width=500>
" e5 K( @+ h) {- w/ y5 R. G. L<TBODY>
4 P# h' T# `. ]! C: q<TR>% k$ r4 U. n6 G6 n# p
<TD><PRE>Method 01 . o7 L6 b, v0 g% z% e% s2 t+ k. M
=========5 W( R+ V H/ F4 w) H
/ l9 d2 J5 R+ e$ @9 _0 EThis method of detection of SoftICE (as well as the following one) is
- r9 A5 j @ W$ {used by the majority of packers/encryptors found on Internet.
) C& X8 z6 I' X% @It seeks the signature of BoundsChecker in SoftICE3 q5 _4 O# B6 ^0 G" ?
: u0 b6 c8 k& B% b( m c
mov ebp, 04243484Bh ; 'BCHK'4 t, u+ G, ^* t! k! X
mov ax, 04h
1 g/ c0 @5 C- R int 3
5 N q2 q9 T/ h cmp al,48 g2 p, q3 H9 u. O
jnz SoftICE_Detected1 O6 B( n# \9 d8 @3 `: Z! c6 I# N S
& w0 j' @, S/ }2 Q___________________________________________________________________________) E$ j6 p5 b+ c' g8 \. f
a6 `. S l- RMethod 027 ]* p1 u4 L2 }- f$ E
=========
0 a) q4 H: Q9 j: \9 u* R( i- W1 o& d# [5 J, P. X* Z4 L
Still a method very much used (perhaps the most frequent one). It is used
# w% X; V1 _5 U x8 Kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. ^; ^+ {7 ?8 X
or execute SoftICE commands...
: R& i3 N8 A k2 CIt is also used to crash SoftICE and to force it to execute any commands
0 \2 I* ]4 {: N5 U(HBOOT...) :-(( ' S& a9 f! |3 C; E
3 P* F' W1 @$ p8 n( n
Here is a quick description:* _/ z: } V! u; r
-AX = 0910h (Display string in SIce windows)% m; a; a g9 p0 o! z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 K" ~8 P! a/ t& ?7 o6 j-AX = 0912h (Get breakpoint infos)
4 Q6 |; i. G& B1 N! g-AX = 0913h (Set Sice breakpoints)
8 M8 {9 D4 O% Y2 W+ q5 O-AX = 0914h (Remove SIce breakoints). D0 R8 t# j; d" j7 n
" c: Y& \; H: M( m8 IEach time you'll meet this trick, you'll see:
8 d7 o- G! T2 R0 u7 H-SI = 4647h( D/ I$ w( W4 A, P- G
-DI = 4A4Dh! L! ]% T l& q! B: O4 A
Which are the 'magic values' used by SoftIce.
9 n5 K1 ^9 M3 X! k- rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ f0 s8 S+ m& t0 ]3 o
& Y1 n0 n# V, x' |. v# X, Y1 iHere is one example from the file "Haspinst.exe" which is the dongle HASP
" a+ \% z4 M+ G% r7 e# c, W7 Q* P9 [Envelope utility use to protect DOS applications:1 ?+ c* r, D6 v& X5 }
. M$ ^, b% ?5 R
: [7 d! F3 k7 V6 @* R" N
4C19:0095 MOV AX,0911 ; execute command.8 I- Q; u! O, X4 k+ \7 N3 H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." {1 x0 P! h$ z) j! q1 |7 J
4C19:009A MOV SI,4647 ; 1st magic value.
$ r( n5 p& v6 Y$ F$ g" o- k+ `8 R R4C19:009D MOV DI,4A4D ; 2nd magic value.
, J) Z2 { K& {" ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& v& U1 I1 y' o/ y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- D( M* x) o1 k' `+ r0 j" U4C19:00A4 INC CX
5 F$ L+ V5 e0 X) t; d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. d4 V9 h4 j/ ]4C19:00A8 JB 0095 ; 6 different commands.
, Y+ q9 ~( F; v4C19:00AA JMP 0002 ; Bad_Guy jmp back.# U7 J1 x) s: T' Q) P/ S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" q9 [7 I$ x, r* K" Q1 A3 h# O4 @; q
The program will execute 6 different SIce commands located at ds:dx, which: v2 j* K& H8 m _ [7 l" H7 A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ @6 M9 ], C' h0 `1 ^+ c
% S4 H3 s! _2 p5 h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, K& e1 X1 _2 p, n6 u___________________________________________________________________________
/ ^% Q4 y2 c' e4 y
O+ z% B9 x" Q/ a, P8 W8 Z. g
( @$ V7 }* L0 R1 y' z7 oMethod 034 U: U/ f- Z5 u
=========
$ U$ g0 [7 y p5 u8 ?, t: p
- }9 Q" \6 f! w, O; YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" e t. g+ W& }9 e
(API Get entry point)0 K8 z: V& w" H" z3 V* K3 X
' W' t% ]6 M- W3 r: o
! K3 }- ?- z4 }1 ~' ^3 b* l
xor di,di
' u5 _, D9 K9 P! \ v+ k5 i mov es,di9 g. h; L( R4 I% u i8 g- k
mov ax, 1684h * O" a4 t0 N8 d4 D$ {7 H
mov bx, 0202h ; VxD ID of winice
4 s2 Z- Z% \. {' A# k: A9 } int 2Fh
. _2 d0 P7 d [# f# K mov ax, es ; ES:DI -> VxD API entry point% D* o& ? a" V* L
add ax, di
2 e( t: h1 f g2 ~$ i9 U test ax,ax" X& o9 U8 I: o" m3 H3 w) R3 S, |
jnz SoftICE_Detected
% _3 D. u6 G* Z' k: [4 y8 b
: J- p- Z( U1 ?4 |" p# Q___________________________________________________________________________
: t' i* _; D2 U5 h2 f4 d
% V! B b2 ]' `+ F/ X# gMethod 04, a2 m; {2 s4 y$ K5 V
=========. s" ^8 E* ]% e- w% y9 c, O
. x/ I U9 P7 }% }, ?! I) n" `0 s
Method identical to the preceding one except that it seeks the ID of SoftICE5 V; [) C, N! `# C3 k
GFX VxD.: U" ~ q4 m5 W) k8 x& v; m
: ~. F% `8 @+ I xor di,di! K* Y" {7 `+ F3 b9 X* ]
mov es,di
9 e; z3 _ V/ E0 @3 t7 `& i mov ax, 1684h ) Z, N" F! ?. F+ P
mov bx, 7a5Fh ; VxD ID of SIWVID) i& [" Y7 L" a' e6 Q
int 2fh" [5 S. e. A6 z3 k% H* r" G
mov ax, es ; ES:DI -> VxD API entry point' ]7 Z: t8 T, M1 j$ O3 `+ B
add ax, di
2 f5 F' _, X9 o* Y& [ test ax,ax
/ k/ c2 G$ s6 o4 ~3 g& k jnz SoftICE_Detected
: c! p3 u/ m) M4 N9 v- a9 z
" J* h4 E& L% ]__________________________________________________________________________4 @! _, ~/ `% z
) g6 I9 X" `0 ?1 w
7 c0 }% h* O5 E3 L+ p- S& X- b+ K6 KMethod 05$ E; {9 Q/ Y& t' B
=========
+ Q' G; O6 ~7 b9 Z( W0 n9 j7 ?" j1 I1 L) k
Method seeking the 'magic number' 0F386h returned (in ax) by all system
. j* E8 ^' @4 v: Z) j/ ^% ?% jdebugger. It calls the int 41h, function 4Fh.: G! T/ b' v( ^. J" \4 q; S0 K
There are several alternatives.
# m- a) S' p* d6 i" t' q/ Y. F- T: P! _* e" D7 S" L
The following one is the simplest:
$ I6 `; Z% U) G' Y) G' p
# a0 p! n! D+ b5 H5 q mov ax,4fh
& s& R6 }3 ]" d2 p2 x int 41h8 `5 o: L- e* M0 x) d& A
cmp ax, 0F3866 A; y6 d m, [) S W
jz SoftICE_detected; c8 ]9 f& F* B5 m( E8 z9 \/ A' p
3 [! X7 P% D' b2 o6 O3 f
, g+ j4 r* @0 Q
Next method as well as the following one are 2 examples from Stone's
% D) |, ?$ `; J! `"stn-wid.zip" (www.cracking.net):+ Y- a+ {: x, D( k
; J% o4 N5 i8 F/ n; A mov bx, cs
! x) \; Z5 L7 d/ z; J lea dx, int41handler2
* Z' H4 n: V3 g9 V xchg dx, es:[41h*4]
% s9 e M7 U( `8 t1 @+ o- I xchg bx, es:[41h*4+2]
0 ~, Y; q" r' a* B$ j' I9 X mov ax,4fh
; I4 e% E# `9 ?5 t+ C int 41h
- Q; |& u4 {; K7 Z5 j | xchg dx, es:[41h*4]
7 e2 `# y5 z9 Q$ c4 b xchg bx, es:[41h*4+2] i+ a0 @% m; Z* j% D: T* m
cmp ax, 0f386h
9 `2 b \/ q& e/ W0 i0 B4 X jz SoftICE_detected
. f' {! O- J/ ?- Q' p
+ m7 q a1 [/ `+ K! l" x) Z# Lint41handler2 PROC. K9 T: a9 Y {( I; y9 d0 V
iret* H( \: J5 {9 ~" m1 x% O. R+ e
int41handler2 ENDP
2 s! o' y: @( m0 l" W
* h& V# `- D1 ]) y$ }
" n% P* S8 J; x! Q0 s' N7 m_________________________________________________________________________
0 ], E* E" b4 ?, z: I- S! I; \
: k* f5 N8 h% Q! N5 z/ C6 L9 W& Z3 ]+ k2 t8 I
Method 06
" T, r( T5 |2 C/ k=========
3 w) i' k4 N/ L# H, K ^: D; M/ K2 w: J% A2 l, A
2 ^) E8 @2 E1 \3 V+ i
2nd method similar to the preceding one but more difficult to detect:
: j, H2 m6 w6 z7 G/ b3 S: V* q& [2 F
% _- [' B3 |& Y" g
int41handler PROC ~$ a) x/ g; Q
mov cl,al: k; W, c( U5 p' H0 E
iret
3 K6 a9 t/ n% I( n+ e: ^int41handler ENDP% U8 T8 N$ v( T1 k. y0 p( }& p7 `- ~
* v0 w+ H4 E q) [: N4 y2 G3 e+ K+ S0 ]
xor ax,ax# i" n% O _& Z: {) O
mov es,ax
0 {% u+ U* {+ ~, V: J2 U4 j+ O mov bx, cs0 H$ g) G0 P! o9 `
lea dx, int41handler
u" q8 ^6 O$ {3 R4 E0 r& U# v6 Y+ g! S xchg dx, es:[41h*4]; S ~) o5 [# a3 c. Q6 d3 e
xchg bx, es:[41h*4+2]3 g! G+ r0 N5 Q
in al, 40h
3 X2 a, @" t& |6 F+ L xor cx,cx. i/ ], m% `0 Y6 K
int 41h7 Q/ t6 K# Z5 |7 W
xchg dx, es:[41h*4]
3 ?( m* b( Y( L xchg bx, es:[41h*4+2]
7 u* R9 w5 k1 [: b9 W7 v1 p cmp cl,al( u' Z/ C! a+ d9 ^
jnz SoftICE_detected7 w0 @4 f2 r# ?1 Q, F4 e9 p0 x
; m* {: B# r V; ]_________________________________________________________________________; z# z1 U# }) u( _: \6 S% \
+ w" X1 Z$ H* X
Method 07
8 B+ v+ x, s9 \" a7 o2 P=========: s* d+ `! g) T5 z1 m0 A
0 v M0 v: A* b& ^" \Method of detection of the WinICE handler in the int68h (V86)' a! ^# c3 l) y9 P
9 x: a# r/ |4 Y1 k; h$ m! T* n: C5 b mov ah,43h$ D( p2 L% D& A9 {. c
int 68h
/ ?6 ~8 M$ K6 {6 m" k: z1 T. |8 o cmp ax,0F386h" ?4 P0 i1 g" b& _- W2 f1 z# w. l/ T1 y
jz SoftICE_Detected7 f3 Q+ I. H1 x' f. L
1 h) i3 l$ H/ v7 ~4 Q
! ^9 ?! y3 |& J( P7 i/ E& h5 o$ x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; a( G5 T; v9 j( { app like this:
3 T* D2 u7 L; b' @+ p, W/ b3 S8 y4 {& w! P& e/ O
BPX exec_int if ax==683 d2 } r* p0 R2 W6 v) [7 f1 a
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 d, Q8 w& l0 E* }. ~ located at [ebp+48h] for 32Bit apps)
! a# e- H, d6 ]__________________________________________________________________________
# ]3 q& |7 y) q0 A
2 ~8 C! A4 v# ^ C9 b( e
. A2 ~ M/ d, LMethod 08; ~- y) _% p5 M9 S, D* J
=========
. J$ L3 g2 r) i* I$ B8 S8 K& u* r0 h" U) S, i5 v
It is not a method of detection of SoftICE but a possibility to crash the
1 j3 r0 B' F! a9 r# w( E! j3 esystem by intercepting int 01h and int 03h and redirecting them to another
' d3 V- J" i- n2 M: Vroutine.* n3 Z2 P( p8 n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points A/ C) k* [$ C3 n8 n" v/ r' x
to the new routine to execute (hangs computer...) ?4 W$ E. E0 E- M3 n- g3 j
7 A& N, |1 @. b- t( Z. [; C
mov ah, 25h& x: }0 J4 n. g$ U$ C+ D
mov al, Int_Number (01h or 03h)8 B z8 N2 e, Y6 O) R
mov dx, offset New_Int_Routine0 x- q/ ^: i9 P# H! M' R6 s
int 21h$ W% h7 ?. [! c( R. r, h+ u: Q
, z% H: m8 O g/ v5 G9 @# n6 E__________________________________________________________________________. D0 C! Y, i3 ^' y* t) c& P
5 x3 i9 z) s* l/ C
Method 09
# F8 D$ G e$ A& O6 A+ [ j=========+ s! Q4 ~4 h# x( q$ M7 c1 e/ |' b
0 M9 ?: N2 \ W: n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ t8 x; _+ n! V$ K. zperformed in ring0 (VxD or a ring3 app using the VxdCall).
/ _$ z: i- w q* u0 a; XThe Get_DDB service is used to determine whether or not a VxD is installed
/ c c, T6 Q @+ L0 P4 b. Gfor the specified device and returns a Device Description Block (in ecx) for
& g" ~' `5 j0 ~7 W S2 j4 }that device if it is installed.- O/ B: ^5 }' O. p! Y
2 C4 V H/ d& V7 q* q! { mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
Z1 d! Q6 C* p- H mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( w9 O# Y. i& Z# }% [. Y- d, P- x
VMMCall Get_DDB" E# X+ L& Y9 e! L* I* U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 M8 b5 W: f' I8 G9 a
, e3 h% d$ b, bNote as well that you can easily detect this method with SoftICE: S% [6 L. z+ j1 {4 q! P
bpx Get_DDB if ax==0202 || ax==7a5fh9 d) Q0 h8 E5 |+ d/ q/ u# g
: D8 N" q7 f7 ~5 d t
__________________________________________________________________________
0 w# n$ ?- J. g' P! X2 L, Y$ M+ C1 h
Method 10# l$ K1 z; I, M) d2 Q
=========/ ?: ]3 _/ _1 ^2 {4 Z' w' I
8 M% w5 a9 F5 m5 E3 M8 g=>Disable or clear breakpoints before using this feature. DO NOT trace with
! r- c8 X7 i7 H* R SoftICE while the option is enable!!$ v! {2 ^+ u2 k+ b; L
: y; N* l. ] V7 [
This trick is very efficient:
. h" N* N$ o/ e/ y# Kby checking the Debug Registers, you can detect if SoftICE is loaded
9 H' G/ v6 P' g0 d- _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 ^7 L1 _; K; y; P& A; U& pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
5 @4 g2 |2 ?; |* lvalue (in ring0 only). Values can be manipulated and or changed as well P$ K4 z! A8 o& @/ Z
(clearing BPMs for instance)8 b- s/ K; F; ^! S; h
j6 T7 _. O* l, N3 P% R__________________________________________________________________________
, _( ~8 [7 o; s1 V- r- D9 P% F$ u7 ]8 Y& v, U/ L j6 x
Method 11
5 M" w% N" ?4 y ]% x=========
8 ]/ k" k# o8 p9 [2 |- p$ K
$ D3 s! D2 b- EThis method is most known as 'MeltICE' because it has been freely distributed
$ ~8 c g9 E3 r% \! kvia www.winfiles.com. However it was first used by NuMega people to allow
, W4 a$ I: A+ GSymbol Loader to check if SoftICE was active or not (the code is located$ S% \6 r1 {5 g
inside nmtrans.dll).
/ E2 l) i T/ o+ v4 w
* q! r1 z2 S9 z J6 A( ]4 ]The way it works is very simple:) _) P K& n: H1 S3 `. W' h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 W) w8 i& B; X8 |
WinNT) with the CreateFileA API.
3 m; q, u' A1 ?' v# U3 Q! |* h( A
/ z6 _2 ^8 z8 m* v+ \! `0 ^Here is a sample (checking for 'SICE'):% G) s* k1 Z! n0 g: l/ X5 k
5 B0 n! {* q: [8 IBOOL IsSoftIce95Loaded()
% v" C4 ^8 [+ F' h" W! b& {( ^{
& b \5 L8 e: s" [. @# k! z' t+ N z HANDLE hFile; - t: ]1 n6 D$ F* {
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' a3 Q9 a V# f) C% Z1 J8 V- b/ } FILE_SHARE_READ | FILE_SHARE_WRITE,$ Y" U& l6 v$ K0 o5 N9 D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ G z) O& T7 k* @ S8 R
if( hFile != INVALID_HANDLE_VALUE )
8 i/ }$ G- j/ T) ]0 @% a& I {
+ n/ k! I" a! J& p u( S1 v CloseHandle(hFile);
' b" i' R) e: U- D- W3 `" Y return TRUE;
# B: b3 E6 q* j& P- V- Q }
- x9 s1 o9 w) ~) i7 G' E, p return FALSE;; z5 P1 U- N2 s) A5 n8 |( d
}1 d/ a/ E% j1 S: o* J+ n
6 E! n, D; X* e2 J# C* MAlthough this trick calls the CreateFileA function, don't even expect to be
; [+ c4 ^9 X4 ]: a3 T& i8 [ I/ Iable to intercept it by installing a IFS hook: it will not work, no way!& G4 G @& b3 X% u/ h3 Q* E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 i4 X$ j" B6 c8 g7 D! ]0 Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. f3 L6 s8 k0 eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 O; W0 o2 |, U9 s& Z/ \field.
! H! x1 o8 }; L4 K5 k: J' qIn fact, its purpose is not to load/unload VxDs but only to send a 2 n. d% Y' E/ O* |( C, f+ H6 |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) D9 f9 V% P. u! r
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; `6 f t) T* u5 Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 D& b! X! s; U" `
If the VxD is loaded, it will always clear eax and the Carry flag to allow; ^' u: f& i( S& E
its handle to be opened and then, will be detected.9 k4 y8 H& c, s- Y
You can check that simply by hooking Winice.exe control proc entry point. x7 I- u7 S2 `/ [
while running MeltICE.) S+ T* T! L+ I1 S; F h6 A
* S0 |7 `' O6 e
5 b5 t1 X2 ?- b# ` 00401067: push 00402025 ; \\.\SICE; Y0 D: O5 y; n" U5 ?2 M) Z
0040106C: call CreateFileA
! E3 p& h# B- `5 P; Y 00401071: cmp eax,-001
/ `/ q; _' T2 r* n9 T0 Y 00401074: je 00401091
5 Y6 B8 w7 R7 o; T
" J8 L; D% r2 M9 O% x1 A
1 M5 }0 v! Y9 c( U, ^6 j' hThere could be hundreds of BPX you could use to detect this trick.
6 ~, `. ^: H# ~/ f2 X- K6 X3 Z8 o-The most classical one is:
9 V# R. ^$ [9 o5 d% L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 }) r; P0 ]0 ~2 B( @8 l$ r# Y *(esp->4+4)=='NTIC'& s2 L. L+ L5 }' Q x
2 u p& v$ u1 Z
-The most exotic ones (could be very slooooow :-(
4 _. [7 H6 [# p1 L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% n7 L9 u8 h: N% }" I, J$ ~7 B9 e ;will break 3 times :-(
7 n3 }0 @! h1 x( w, u" Q, J5 {/ {5 P! Z8 J% o% U; e. w
-or (a bit) faster: $ P9 |2 R% |% W+ W) Y8 o! V+ O; D
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ {0 I. l% I" O, X4 E) T
4 ~! l& w% c& ~7 C! A! w1 E( N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' [/ O* V2 m$ u# L6 r+ W ;will break 3 times :-(! R8 q# D6 m R; E J" v, h
5 _2 m% I' s) p0 t* H2 `$ s; k
-Much faster:1 ~. {) E) Y* i0 m& I/ I! k' K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' k3 Y; o9 R D6 H1 e6 T/ n0 d
- }" E8 J `2 n/ O) W/ F0 O9 HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ {, t& s9 J: j: K& R) g% c3 ~- O
function to do the same job:6 b# w5 \. _, W
5 v# m! }# [$ w, Q5 X
push 00 ; OF_READ
- P8 K7 u: s% K2 a" T* |6 M mov eax,[00656634] ; '\\.\SICE',0; Y4 G/ x& `. N! S3 @3 O N8 H5 `! E
push eax
. i, J# B. j! T call KERNEL32!_lopen
* U# n; ?3 Z% ^0 z" ~. X inc eax
) a" E# x9 h" {: _, Z7 Q: V jnz 00650589 ; detected. @3 C. s; z% U) p( r ?
push 00 ; OF_READ& U% F: X5 W8 D+ Y) {
mov eax,[00656638] ; '\\.\SICE'
) j4 p! V8 h: ?- [$ S' p) b. F: k push eax. M$ }) m2 O4 D& F& k) w5 r
call KERNEL32!_lopen5 d; j3 t0 J3 D1 R
inc eax# ?. L$ S7 ~& x- N9 x
jz 006505ae ; not detected1 |6 k7 V. L0 \
3 X4 {7 q/ l' v8 S1 c
2 A: W# T) S& X9 X( h$ b9 L% t__________________________________________________________________________
- Z2 v3 A6 s3 c8 g1 z# B; l3 S9 m
# u. j3 F+ }- j, |Method 12 T6 w3 \( Q* Y7 c, A4 F
=========
0 l0 | @2 x$ Z9 {
& E3 c/ z" X$ U" ]1 oThis trick is similar to int41h/4fh Debugger installation check (code 050 K$ w) u6 u' O' X: L2 Q
& 06) but very limited because it's only available for Win95/98 (not NT)% o( w5 j$ o5 ?# c. {8 s- `# `
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 }& a6 _3 i5 c5 J
) ^+ r6 ]. F3 N2 q% s$ M push 0000004fh ; function 4fh- _ t( j9 k+ y
push 002a002ah ; high word specifies which VxD (VWIN32)2 B. D7 l3 z' k
; low word specifies which service7 M0 ^: F3 I. g. w f" [
(VWIN32_Int41Dispatch)
& |# H3 {; P+ `) {. C call Kernel32!ORD_001 ; VxdCall' u" A" D7 U3 s+ d* g$ F( b
cmp ax, 0f386h ; magic number returned by system debuggers
# R2 X, {' C2 i" k. F; c0 b jz SoftICE_detected* x+ ?" E9 u9 i4 D
' Y4 A0 \" z' w/ P3 |
Here again, several ways to detect it:/ j& X- O; f* P: y" b( f
K$ R5 Y4 E% |# I5 |+ f# o# I BPINT 41 if ax==4f: N) Q$ T; i& w: ], e5 M5 j
( x9 Z" x% U) ]) \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" d4 f( `' {8 r4 X' X
2 t( G q- p& }$ B! r
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 v6 L7 W; L; E; ^9 l
1 k! Q$ m, o( C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! Q7 [6 b- A# [0 G3 n' F
3 T( w* F# e4 }% T
__________________________________________________________________________7 \7 l! a* G% L$ V- Q
, H- c) h$ @- Q) n$ J6 q; MMethod 130 g4 C p# K) G! z7 L& V" }* M
=========
0 K& `: T3 p- ~( R/ U# Z
7 \, Z4 x, Z9 U1 CNot a real method of detection, but a good way to know if SoftICE is! w6 k) M8 d4 l
installed on a computer and to locate its installation directory.
: L# E4 F- Y$ ~0 B. C( g0 hIt is used by few softs which access the following registry keys (usually #2) :
+ E+ F% T0 o: U* b0 _4 R2 N/ B8 A. J! b% w* j" e) C0 r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! {+ W$ @$ k% \8 ?* Z+ j) r8 R3 k7 \
\Uninstall\SoftICE
: {3 V w4 G* G& k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! c; X" K+ Y$ Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 b. u8 x* P. V7 c
\App Paths\Loader32.Exe! i. X( m, k$ P
8 e7 S! m9 E9 S& j% }0 |' C: K+ j6 S3 l# I
Note that some nasty apps could then erase all files from SoftICE directory1 [8 T$ R, e; M
(I faced that once :-(5 ]" \0 `9 H L+ W, U) L
. Z" i% U; M6 ]3 J$ GUseful breakpoint to detect it:8 r$ {, v3 L/ b
6 ]* O$ d5 R. _0 k8 G* ]: p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& y' {8 {. N% Q+ k _( ^/ }6 W
# w' p' Y. F( K! V% f1 A8 {__________________________________________________________________________! X. \8 ^( Y9 r# Q. T0 N) G" u# y5 k
: f' P* X1 |! M+ y( I
) }% q; B! b+ hMethod 14 1 L, e) j, |: m: j6 E: ?
=========' }" m* @5 o- p# y4 O
' F& o8 K, c6 o* ^9 D, qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* s6 N! k1 |" @- eis to determines whether a debugger is running on your system (ring0 only).
' V0 d& \( V x- e6 G4 ?! n
! t' k/ }/ P- z P VMMCall Test_Debug_Installed
# X/ @1 p. s3 z0 r( x" n8 p! n% {- T je not_installed- F2 F( K, s6 \6 w% D8 v1 Q |
6 Y( q7 P* x0 M2 F. L9 W9 w
This service just checks a flag.7 p+ s) m4 z4 q8 ~* g
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡