<TABLE width=500>
% l% D# E6 O$ V. |% f `+ [<TBODY>
# E0 b! L: J1 g4 x9 {8 |) I<TR>
X/ k: F2 A" ~* N<TD><PRE>Method 01 - H* _( ^: A- i5 v" I' Y
=========# Q u( S9 g% \" q6 `, i
8 d7 r# j0 J; H, y/ N1 ^This method of detection of SoftICE (as well as the following one) is ?; P& v/ G3 v$ c2 N6 u
used by the majority of packers/encryptors found on Internet.. a8 r$ ~) H# [7 P
It seeks the signature of BoundsChecker in SoftICE/ P2 Y6 P$ p l- f; Z# b* p" @% X
% E6 V9 c5 A1 p4 ?' a( X
mov ebp, 04243484Bh ; 'BCHK'
$ s+ @% G# n$ j4 c6 E* s4 s* t mov ax, 04h# I5 S& {3 M* C, P
int 3
+ @* i w; d- c+ I3 A% M- O, o6 o cmp al,48 s0 K, O+ [7 v$ d
jnz SoftICE_Detected
$ X+ r+ w5 l2 u" C
3 q: }) A: a0 A9 ~___________________________________________________________________________4 S- h# @4 M6 x- \ B! I
( D, L! L [/ J9 V' l: F3 U1 ?Method 02* @$ B+ S- o+ {, Z8 C- u
=========+ w. b* z5 {; Q# S% y( X, D0 i
4 f- N% G- N8 j+ u) Z' B
Still a method very much used (perhaps the most frequent one). It is used
' S4 {. r0 I; j# O& ]0 X, Kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 ^. {$ t2 r _% `8 C V/ S, v3 E
or execute SoftICE commands...
5 R# t+ P- m* T( j& N+ g9 z4 @7 VIt is also used to crash SoftICE and to force it to execute any commands
1 T c" U6 |$ h(HBOOT...) :-(( 8 m# o# P1 b% ~5 S! W. a
4 g0 P0 N# P4 sHere is a quick description:; l. N, o- A; a! j+ n6 P; w
-AX = 0910h (Display string in SIce windows)
! Y9 O% m$ B' K# u% e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 \( O9 C$ \5 W$ H2 b! ]
-AX = 0912h (Get breakpoint infos)9 H5 H" v6 p e8 ~( ~9 b: {" J; k
-AX = 0913h (Set Sice breakpoints), f8 _! O$ p3 `5 w- P
-AX = 0914h (Remove SIce breakoints)
( E: }0 s, b% z( C) A1 J5 N1 g" I& m! ^3 d
Each time you'll meet this trick, you'll see:( ]7 \/ D; E' U* _/ h& W \
-SI = 4647h; N( q% K% S# R) r* L
-DI = 4A4Dh ]7 f5 ]- @/ K; ~6 f. V- m+ S4 J
Which are the 'magic values' used by SoftIce.
$ A: J R5 x7 t6 u/ D' j" PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, ^: k+ j0 D" `% \3 X: e. s
( v, I, K4 |* O. R0 U' CHere is one example from the file "Haspinst.exe" which is the dongle HASP; s6 P/ H ^# @3 r# L' ]8 i
Envelope utility use to protect DOS applications:
% c% w" t1 l6 x
5 q" Z% z" L. ^# C) X* F9 w* `, N: w4 L' I
4C19:0095 MOV AX,0911 ; execute command.
; q8 [6 Y1 j" B4 C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ N9 Y, T3 T ` q4C19:009A MOV SI,4647 ; 1st magic value.6 x. {* @* e) p
4C19:009D MOV DI,4A4D ; 2nd magic value. T& C6 V1 `8 o' L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) A v# [& x" I2 i. }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 V+ v; y5 ]0 ^1 ]5 H4C19:00A4 INC CX4 Q( z! B: `% s
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, M& t* q* W2 c, Y4C19:00A8 JB 0095 ; 6 different commands., G3 s4 Z2 u) w* {9 G) M& Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ I4 {1 L2 \* t& ~0 ]5 Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* }0 o4 u) _( ?; u8 H+ b
1 C9 L" C1 F m; s* A; ?
The program will execute 6 different SIce commands located at ds:dx, which( R! u, @) @( l& V: Z, j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 q1 _3 D; z. e( W6 l& s: C& t
! D l5 U' u9 g' B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ m/ X3 G8 Q) c4 u0 o- ? [+ S___________________________________________________________________________
0 n* l: E6 T! Y2 X: H
3 P* A/ I) x- k1 B' @8 h! s2 j; J+ U/ g" Z$ j3 G
Method 03
2 U6 P- ^8 y) h2 Q6 ?=========
6 H3 t' i; O K' | o7 f5 S0 l
3 t4 N. f, e) \7 g) e* yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. y- H1 R& q/ A8 _" K- j
(API Get entry point); t( O9 y1 z8 ^7 G+ r
& ?9 o; ^3 q# g( ^- ^3 p5 a! Y, f/ {
$ d+ m2 q) x5 k" a' {+ l5 e! d xor di,di
- k; p4 E% X9 s/ ? mov es,di# |3 T. k t4 G' w
mov ax, 1684h 8 i# j( U, b/ }+ W$ {
mov bx, 0202h ; VxD ID of winice
. _! ^ C& e' y, u int 2Fh, r y7 L+ {; O" P& u" ^/ g) s+ @* o
mov ax, es ; ES:DI -> VxD API entry point
! |4 S& h3 w* f% J2 A add ax, di
2 n7 ]; i& ]& ]. d& p7 o! C1 i. H test ax,ax
0 {; f) ?- U, |* E' N2 _ jnz SoftICE_Detected
5 U1 l. A/ S! p; x* Z# c% H9 p- W8 n- _$ p* O( O3 f
___________________________________________________________________________4 y9 {' E$ |) q" [
0 |8 ^: x% u' {# xMethod 04
4 I1 k& {- Y, F, a=========
; i6 B" @8 {6 l5 J
C% {! O# ^9 _7 Q4 t3 E% [Method identical to the preceding one except that it seeks the ID of SoftICE
; c1 R5 w+ g. ?7 ^3 W, BGFX VxD.
# o3 _% w, U3 d* c+ T* z; L! f$ n: g) Z0 S
xor di,di( p, G) n. c: ?# E: J# ?( }2 e w
mov es,di
0 S5 W+ s3 _; V- q# F( @$ \7 `# x mov ax, 1684h 2 o5 D! a2 S% r8 N
mov bx, 7a5Fh ; VxD ID of SIWVID
) p0 l* S; F- z. C; q/ o. r int 2fh
% N8 W, u+ @- Y: e* ` mov ax, es ; ES:DI -> VxD API entry point7 ~3 V1 q& b6 q! ?* |2 p' F
add ax, di9 e! V5 B i3 C* K4 M2 b5 V: \
test ax,ax5 F- E* I) f& Q( J
jnz SoftICE_Detected- E1 u: a2 c( ]" ]. q$ A3 f! a
. R8 p3 s5 a' W- s
__________________________________________________________________________
7 {; e/ A/ J3 z% P& `+ I+ H# r, g" W& a" {# I" b
! k4 \5 d3 a8 M( F, s$ p
Method 05
7 ?, w/ _' ?: V0 v! \=========1 y( U$ t6 w/ C) d
' I* Y8 X( y5 a! u0 Q& JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
$ }' F) f# K1 k( p. |3 ]debugger. It calls the int 41h, function 4Fh.
' w" H9 \0 }9 ^# o; ~9 Y/ Y1 U1 f1 JThere are several alternatives.
* L3 R; o. I7 @0 L4 K# f. Q6 ^- P
1 p1 Y4 R0 @1 A; Z+ x rThe following one is the simplest:
3 k; G) ^+ l# G u; x! c" g1 {0 | F8 }2 n8 Q
mov ax,4fh- t' `, d3 o5 m( C
int 41h7 V& G" X) x' F' S: r5 @& B
cmp ax, 0F386$ G. t% _& Y5 w; u0 J
jz SoftICE_detected& h# L7 o9 B3 m c; K$ |3 M
' T5 c6 L' a! e. C/ m! N
9 ?! ^$ g; `/ ~4 I9 kNext method as well as the following one are 2 examples from Stone's
8 c% ]2 P$ ^! O( Y: }5 b8 x"stn-wid.zip" (www.cracking.net):% h9 w* _- J: t: @$ ^: k6 D2 T% ~
/ W$ W# d/ p& f/ C mov bx, cs2 ^& y1 M0 B0 I, v5 j8 A
lea dx, int41handler2% e3 k# o& ?& T4 }: m! i+ I+ C
xchg dx, es:[41h*4]) b" E" z' A) f: n! [
xchg bx, es:[41h*4+2]
$ L3 Y8 \5 Y5 A- p* Q3 v mov ax,4fh. C. m5 [6 D* c& n z
int 41h1 r7 N# _. R" u: j1 g. e
xchg dx, es:[41h*4] S1 C" H# T @5 h- s
xchg bx, es:[41h*4+2]
3 z0 P$ u9 s3 {- ?* f cmp ax, 0f386h
8 x" M% f7 b9 C' M% P+ j- r jz SoftICE_detected
, ]( ^: v+ u# g0 V% v1 u& a* u0 k6 G. i& h' \, t2 t$ A
int41handler2 PROC
, Q1 ~4 \7 t8 I- e9 A" R iret
2 k# B" p$ Z# k. r" L. r4 P+ w( @$ b# o& Eint41handler2 ENDP6 V! z; E& X7 O; V( I. @
/ D9 }+ Z v3 S+ i T
$ H# a. ], {% ~( M; H_________________________________________________________________________8 O; l0 a3 J0 C" n; e% s
9 x! k' i- @& s/ {$ q& J5 S5 A6 }0 d
+ k/ n) A7 e& p5 MMethod 06
6 E) \; d1 C% j/ E! a' H4 j6 F* s=========) i; m2 @8 g$ j! P
6 U1 S' Y1 j4 Z3 z, X
. i8 g& n( U: `
2nd method similar to the preceding one but more difficult to detect:& z" u, b: @- w
6 N3 ?2 O8 d3 D$ L5 w; ?6 T
7 D* w, @6 a/ P: p; @; B4 xint41handler PROC; P0 S8 y" k7 L5 R$ @5 T0 `# k2 M
mov cl,al4 K& [# C' x+ @7 b6 c q( r; W s
iret
9 L* N0 u7 o$ X; h" nint41handler ENDP: i- o* W0 h& z" a0 u
' C* I( x/ d# Z; [$ k9 }7 ~
4 s: r B0 Q! W, X
xor ax,ax( L) }& U1 I4 F% E% x
mov es,ax- f" y n/ C4 M2 `7 U R% t
mov bx, cs
7 J- }; X- i& r lea dx, int41handler
7 U5 o7 q9 z' {, r8 Y6 w xchg dx, es:[41h*4]
# @; P! i: l$ S7 K5 A- \ xchg bx, es:[41h*4+2]5 I9 E5 N, r! n$ A1 x9 }" V
in al, 40h$ y/ r( l+ I5 v! b* m2 Q% c
xor cx,cx
A- T/ x; j* z int 41h
5 B! v @! C( d6 @ xchg dx, es:[41h*4]5 A) t3 R9 _$ J) n. o, `8 i: J
xchg bx, es:[41h*4+2]
3 {5 f. y4 M- {; }6 L3 M/ H( v1 c j cmp cl,al$ W! p W* b; ~# `9 D9 p
jnz SoftICE_detected
. W) I9 [* Y$ E0 ]$ d7 O
+ g6 d+ u% H5 {2 h1 e& \5 q_________________________________________________________________________
% x4 E# M7 Q& M V6 q/ Z! q' t8 N& P- k
Method 07
2 k% B+ [- I# U, ~; B=========
. i. s2 N" f; Q' @, }# v; o0 |/ f( U) u7 ^5 v
Method of detection of the WinICE handler in the int68h (V86)( }' D7 z/ O1 r- k) J7 q' w
2 a& ^+ w( Z M E C& T* s+ u mov ah,43h
* f- d' V/ h% k, M! R0 W7 _ int 68h( @3 y4 r7 q' F \& H% I
cmp ax,0F386h t& u, N0 r m0 p* H; Q6 I9 U
jz SoftICE_Detected
5 k- v% \% P4 A( s8 \
# ]" A, X/ G; [- K- A4 I) I5 {- _& ^& c- o5 V
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 {8 ~: v, v+ L/ [) N5 g! _1 i! I0 }
app like this:# U2 \$ `! L1 [0 d! S# }' F- r; M) u
1 n3 U# p( x% P; i9 ^8 L5 x BPX exec_int if ax==68
9 k, d$ t( l6 O4 Q8 y (function called is located at byte ptr [ebp+1Dh] and client eip is
' A! h6 B' C: F4 u& n! g4 {1 v located at [ebp+48h] for 32Bit apps)9 G8 \# p7 g4 \8 v# _6 c
__________________________________________________________________________
7 @) j2 p! X' B$ |/ Z2 o- D, T' ^# R# a3 D; _
' P8 U5 ^6 y1 R* `" Z' Z7 L. o$ vMethod 08
. m ]9 w4 D1 n f=========4 j0 C* c9 H0 W: Y! o* H: j
3 w6 K, G d, `2 N) v& @It is not a method of detection of SoftICE but a possibility to crash the; I/ p5 [. {% |* T4 F; \, d
system by intercepting int 01h and int 03h and redirecting them to another8 m/ Y2 D8 \+ a! q; s1 U0 }) ?
routine.; ?2 O: H, u4 ] c2 s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: O# r* y5 p6 Jto the new routine to execute (hangs computer...)
% u N3 }4 c% B' {5 n1 J n3 V9 I: L. a& e* b+ i1 B; [
mov ah, 25h \) n g: x7 s9 J) J
mov al, Int_Number (01h or 03h)3 e8 i1 z- F1 i# n+ \
mov dx, offset New_Int_Routine
9 ?3 k! T8 e) V0 U+ t int 21h i, `0 ]% l, o. X/ x" T
e$ ^9 B4 Z" `) Q, N9 a; S* H$ h2 l j
__________________________________________________________________________
. b K8 e- s) o- F. |" s' I3 X( H1 {$ d, V; [8 O
Method 09
9 O3 j1 u' h8 z$ Z9 N=========
% l2 t Y7 Q1 ~" g* h$ ?. }; U8 [/ b8 v* A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ J% F( I ~4 R$ L G5 L
performed in ring0 (VxD or a ring3 app using the VxdCall).* R* J( F& L: e, O) ^$ e, K; y
The Get_DDB service is used to determine whether or not a VxD is installed8 D7 n3 {5 V; M$ g9 ]
for the specified device and returns a Device Description Block (in ecx) for* N' Q( T9 c4 j" v6 f, a+ B
that device if it is installed.
: C9 `. W- M6 J4 n# \+ G% a( P1 D
: R% B! N+ G- z$ E$ P8 J6 k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" v8 L! I C/ H& Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. @4 @# N k/ q VMMCall Get_DDB
2 K' Q) O, \& {0 x2 ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
` a# `3 y7 h8 w5 f- s l6 {% G1 x/ G9 h
Note as well that you can easily detect this method with SoftICE:
4 w9 O9 v& O8 O! I) y3 } bpx Get_DDB if ax==0202 || ax==7a5fh4 |0 l3 N% s* K$ x2 c' s' P( P
: _- [; A' I+ N) w& L__________________________________________________________________________
3 W: u% J! Y/ ^% x/ y! Y) [+ Z, t
' L- H8 w4 J1 z; zMethod 10
2 d7 T: R1 d, T3 k) F=========
* E% l& f* L. U' }; e% s- O
l; {1 C) d9 e1 x9 f& o, N=>Disable or clear breakpoints before using this feature. DO NOT trace with% s" F+ [5 o. m! O4 L4 ~( S
SoftICE while the option is enable!!
& i& e2 X( I8 Y) F3 q% G; T0 C# D( c3 k( S
This trick is very efficient:
, [& b: T# ~& X! k; k Dby checking the Debug Registers, you can detect if SoftICE is loaded; o7 A& {' w1 A/ }; t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: U3 I9 F; L* u$ {3 c4 `! U
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 v+ {$ p; f& X* C
value (in ring0 only). Values can be manipulated and or changed as well
8 o* X$ J5 ^9 q8 s(clearing BPMs for instance)
* V0 c; r7 L" S0 a- x
U' `2 \# P/ L V" V6 T1 B__________________________________________________________________________
$ G; J& b1 r/ }9 }. l3 j: b8 M2 I3 I$ @: {) J7 R" K
Method 11
+ x3 y% z) f( K2 o9 R7 |=========
: R- q$ h0 x! C3 ?' m# ^" P
! e0 A9 N6 w9 O b, FThis method is most known as 'MeltICE' because it has been freely distributed
4 F! n# j8 _, t$ r1 O1 qvia www.winfiles.com. However it was first used by NuMega people to allow( l4 u6 _( H7 q5 S
Symbol Loader to check if SoftICE was active or not (the code is located
) r/ e. z9 D! {" q' u7 Q0 [2 n6 ^8 Sinside nmtrans.dll).
" m) B# P3 d5 d9 m% J0 O# y/ x& {# P4 S' B f! r
The way it works is very simple:( W: c) k6 R$ s7 s& b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" j) |* l: p Y; v7 gWinNT) with the CreateFileA API.% ?8 T/ }7 E2 g1 z* P
; ~' f8 t3 U% P
Here is a sample (checking for 'SICE'):+ z8 f8 b8 [2 ]8 u! C
+ q) k4 d) c2 @7 ~/ Z' v5 i* H; B& xBOOL IsSoftIce95Loaded()6 x3 q9 ^3 S* H. W
{
2 {6 |- N3 D W2 Y) E2 [5 I HANDLE hFile; + B. Y# Z% u, b- P/ n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 h. i3 c' C5 B. f( f# c FILE_SHARE_READ | FILE_SHARE_WRITE,
. w9 b: U4 K g3 d5 a4 d A6 Z* E NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 j3 P% G! h; G' Z. G
if( hFile != INVALID_HANDLE_VALUE )
2 {8 T: v7 |6 j0 y {
L' @* Z0 [# ~( v6 i5 Y CloseHandle(hFile);# F9 w* z+ H( I3 K& L1 Z: S. g
return TRUE;6 j2 g( y( h% K( o* b3 m# Q& T
}: v/ ]" ^. R3 Q/ [' w: o
return FALSE;$ v* J b" s9 Z! s( I* `4 l
}% n% M0 ^: C5 `/ ^
- u3 `# K7 K) D8 D" U4 n
Although this trick calls the CreateFileA function, don't even expect to be
! a5 O0 K8 _1 Q! I9 k% V* [( cable to intercept it by installing a IFS hook: it will not work, no way!0 ^# }6 w4 o+ }6 g8 ]) D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# R x" j( n% z, Z0 u7 U) d$ U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 S# z" s# f; r( ]' Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 ?5 w4 [; |& n
field.
$ Q' x5 I1 Y3 HIn fact, its purpose is not to load/unload VxDs but only to send a
- ~7 X0 @# l" gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 f+ T _+ Q0 h4 \2 ]0 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 n( e! r2 c& \- K" F0 b# J. w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' L0 |" U2 r7 M6 b2 {; M& L% F
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. I6 e+ _& ` W" @its handle to be opened and then, will be detected.
1 t4 B/ Y' u, EYou can check that simply by hooking Winice.exe control proc entry point
% A& m: s; x, W0 ]6 Cwhile running MeltICE.
% d; @1 G# W3 p! E) @1 R# [5 |+ ]6 j, Y
3 B; |. G% b- C" [' u" [3 Z) E 00401067: push 00402025 ; \\.\SICE
: T8 ~ K8 X& `& o9 } 0040106C: call CreateFileA
' ?+ w Z5 A5 X7 `* o8 d 00401071: cmp eax,-001
+ F! b0 a& k& A# ^' ~6 n 00401074: je 00401091
' ~) Y B4 Q3 Y+ a% g2 H1 C
$ k8 C) x2 }" }+ `9 D
4 `; L; P9 Q5 O s/ b vThere could be hundreds of BPX you could use to detect this trick.* v! N0 j/ {6 b9 Z: j/ r9 ^4 v8 Z
-The most classical one is:
& N5 z/ `; }. J: r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 m* z ?- K' Q& O2 @" I T *(esp->4+4)=='NTIC'+ \; S I+ p. k% M( G1 M( p
; L: N* }- h7 e9 W
-The most exotic ones (could be very slooooow :-(
% r, N# P$ v2 b, L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 _$ }" l" n- m1 {- V ;will break 3 times :-(
$ J/ m$ L4 u6 g# H/ w+ R. H7 P
8 O# c! J3 v; L, O9 X1 t9 ]-or (a bit) faster:
# G7 X: |! d! o0 N$ b7 @/ w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 K; o( f5 |% |7 m+ |2 \# M2 ^' o* s4 g, q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 t6 p' N" D4 J ;will break 3 times :-(
?7 R9 M4 P5 M1 G9 V
0 j2 X& [( ?( }; D# ~-Much faster:
$ k4 ~8 M N- \+ Y$ o4 s5 W0 X BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 e+ o* Z& J v, A8 C2 g1 v
3 K- V6 r- C" z* }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 r& X: W- L0 x- x
function to do the same job:& V3 [; I0 {3 R7 Z" S6 m) t
3 e8 y8 d. ]4 t* y6 U
push 00 ; OF_READ
1 J3 B7 i& h; ~, k: Z mov eax,[00656634] ; '\\.\SICE',0
; H: r; p" C* P* v push eax, r, _, f" B+ ~2 z8 k. g( d
call KERNEL32!_lopen
) D7 P# T, T( I1 c inc eax( O8 |$ @$ H5 m: T
jnz 00650589 ; detected
0 i# s$ d; f1 c push 00 ; OF_READ
, s4 X+ U ~9 Q. _1 X4 A: O mov eax,[00656638] ; '\\.\SICE'
8 ~3 B! {. ?1 D2 R; y0 g push eax, F% F) q$ E: n. D( F1 F( {
call KERNEL32!_lopen; @, o" N% _; A' K( j
inc eax
' G) R* s: W4 k9 q5 ^! F jz 006505ae ; not detected" X9 |5 M( G5 y2 w) C) h: z1 S
; {8 T; L/ V9 R: E3 R" z2 {4 q# y% y2 u! x) G1 z8 }
__________________________________________________________________________
- }7 J& }+ o/ c2 j+ ^6 r9 }9 i5 W( C& T6 w) |" i0 B0 V
Method 12! l# c5 Y6 N' U
=========
! Q- v4 W* c" z6 Y( z
" |) \/ |% O. q' tThis trick is similar to int41h/4fh Debugger installation check (code 05
5 C; g5 r5 l& i1 V2 M( Q5 S' W8 U+ Q& 06) but very limited because it's only available for Win95/98 (not NT)
' N6 r4 _% L+ C8 s Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 R* c0 V7 |9 p/ l+ ]3 w
. |% _1 e: d; R push 0000004fh ; function 4fh
2 P+ Y/ C8 d, y' } push 002a002ah ; high word specifies which VxD (VWIN32)+ S5 |/ E( G) w5 D
; low word specifies which service, G: W! q2 [! N6 h; c8 X
(VWIN32_Int41Dispatch)2 Q( K- k! k( Y ]; n: F) o5 J
call Kernel32!ORD_001 ; VxdCall
T. U5 I/ M7 u9 t* Q% G; ` cmp ax, 0f386h ; magic number returned by system debuggers+ l$ D' O7 m$ d. J6 R6 {9 U e1 }
jz SoftICE_detected
1 h A" P" {, \ D5 X& f1 d+ d5 N w: `
Here again, several ways to detect it:
/ c6 ~; n3 f% ~/ a6 _. N0 ^- O2 y
BPINT 41 if ax==4f
! ^& U, e! \. y9 l$ t7 A8 g
- e" s( {' [5 K; o$ b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 }/ i8 d; c" ^4 S" ^2 D
2 K$ h [# A+ C' E/ |7 R BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 ]/ u7 G( R3 l, L' x/ c; [% {: D2 R1 R2 b% u- W8 w5 \8 R, Z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 z! T: c) I! ?. [6 h+ |) K4 Y# u% Y% ~; F I {1 l
__________________________________________________________________________
# l. {+ s& Y- h x' K( X9 R- `
" g# l' j0 y5 H$ }; {Method 13
; b& l+ ^+ |: M=========; |( x+ N C' q& s
+ L1 g" B. ~. z9 s1 BNot a real method of detection, but a good way to know if SoftICE is" A" Q4 P: ^) [# T6 M
installed on a computer and to locate its installation directory.
% X% k) k- k5 }; n8 T+ J* S; d e/ GIt is used by few softs which access the following registry keys (usually #2) :2 ?* c3 [( z2 I
) L0 q+ [3 D; z2 \ b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( M6 m! C: b! G
\Uninstall\SoftICE) X. m6 p" g* K* n2 @; c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; K- P/ A# v' F( a$ I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* l6 d# ^" n0 a# [: Q# r\App Paths\Loader32.Exe0 U/ `/ t7 t7 d. ^. |# r, N W' ]
1 Y# {. ~. s& u" C. J0 z0 L. }) q' y% x! Y% ]8 B
Note that some nasty apps could then erase all files from SoftICE directory, o Q) m. h1 _0 C
(I faced that once :-(
, M4 d* m3 V( J1 i6 ]' Y3 {4 a! b5 f0 Y! n6 E
Useful breakpoint to detect it:
2 t# A8 e2 d* I* e. \5 s
! A- `# H; m1 b, B/ ^4 { BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 n9 z# j! I- K! ~. U
/ w' Y! Y9 J1 B8 J__________________________________________________________________________
. v/ p0 }! m; ]. J0 X: P5 r- b" \/ ?; |7 K3 `
8 ^ N( [9 n3 qMethod 14
$ d+ p0 d& L' @=========
- W4 Q1 ]# u6 F- t( Y6 a
: y% A. {6 u9 w" Q: FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! d* |" }& s1 _9 P2 d
is to determines whether a debugger is running on your system (ring0 only).
6 j4 e/ ^9 @% L8 x6 l7 x
: }0 B( O, X+ V' m6 c4 D" ? VMMCall Test_Debug_Installed
2 i# d5 ~/ O4 N; c0 Z je not_installed7 }/ W5 ~' b2 S4 q3 H3 _$ Y
5 b0 b: I% y( S# {7 f6 G
This service just checks a flag.' i; T, l+ O# ^9 h; x e* L
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡