<TABLE width=500>
3 h# j! p% a& T3 A' a<TBODY>
& J9 O6 A" O1 M1 i6 f5 Q<TR>: \! z/ t L& S j0 \, z
<TD><PRE>Method 01
. s; t& q! w/ H=========
7 h& ~- ~, X. f1 t8 O9 l$ x$ U2 x# s3 V) z8 v1 J4 A
This method of detection of SoftICE (as well as the following one) is* ^- o: L* w* `; d
used by the majority of packers/encryptors found on Internet.
% B4 _# d6 i/ }5 V; HIt seeks the signature of BoundsChecker in SoftICE
6 b% j4 y ^2 q; j5 ]/ ]$ N
% f, D0 }: _* Q. o1 X+ t mov ebp, 04243484Bh ; 'BCHK'
/ u2 f D: R) r1 P$ v ^0 O& ?( i7 ^ mov ax, 04h
: m/ X0 ? F, K, @ int 3 ' T. c1 O: @2 J& A/ i: ?
cmp al,4
/ S Z8 ~6 J4 q8 g) M) Y- u jnz SoftICE_Detected
& O M$ D4 T) L% g/ _5 P% f
- B, D% N2 G1 L( N* H; P2 y( ?6 H4 A___________________________________________________________________________% ?* w* X5 X3 ?# z2 N
" D6 i9 p' ]; g# q* e+ T7 J2 ^
Method 02. Z" _2 J2 f# ?
=========1 e; a6 v T$ J/ L
- k5 P* H5 c9 _& H! v; b" ~Still a method very much used (perhaps the most frequent one). It is used
" b" A3 ^' p( Q% f8 T9 Ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,: |7 a) O% n+ D& s, Z7 L- [- n4 _
or execute SoftICE commands...
% e* D: m1 v" xIt is also used to crash SoftICE and to force it to execute any commands
6 G0 {0 p) ]" c. q2 ?(HBOOT...) :-((
4 n5 O' d G+ [$ t, Q
1 I$ E5 w8 F% M6 QHere is a quick description:
+ o1 o' K) L: q1 i6 x, \-AX = 0910h (Display string in SIce windows)$ @7 x4 f- C. Y) j1 `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% Q/ s6 c2 {" D( f& E
-AX = 0912h (Get breakpoint infos)
- J- k2 D2 ?6 k; V: A* h4 u-AX = 0913h (Set Sice breakpoints)! y7 Q% u$ Q6 J: C+ y; `8 f6 b
-AX = 0914h (Remove SIce breakoints), _7 c2 _* s, e. Z# u
' I+ u& u8 x; p6 \+ \8 N0 OEach time you'll meet this trick, you'll see:( F* a: ?" t% o, |
-SI = 4647h' H( Z6 T4 { j1 M" p2 Y
-DI = 4A4Dh
- [3 k6 u! J0 v9 }( q; q! [Which are the 'magic values' used by SoftIce.
% X& k" G q( w" @( m' _ A" HFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, c- k* Y6 G# w7 @9 z
) G/ K! m4 g/ N, T# oHere is one example from the file "Haspinst.exe" which is the dongle HASP' x% t# a, X$ J4 \; E
Envelope utility use to protect DOS applications:
' H. C o5 ^- N+ F; ~9 l0 k6 F8 s
: S4 n7 f5 ` e1 t, f
4C19:0095 MOV AX,0911 ; execute command.
4 S2 O8 J, z4 N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 P( x% l' p! R% j9 \
4C19:009A MOV SI,4647 ; 1st magic value./ o+ z. t9 A, |' P4 D# ~
4C19:009D MOV DI,4A4D ; 2nd magic value., r4 W' ]- R: L3 ] o' h i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( U( Z6 f: k1 F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' A! d! @1 x v7 n4 J) N( n% }$ h
4C19:00A4 INC CX
/ p+ y/ e3 W/ h/ ?2 m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ I W- y: P8 Y9 r `/ `
4C19:00A8 JB 0095 ; 6 different commands., [# r: g- v9 |
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 p! R; I. p) c* S4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 s5 B9 i. r- Y& Q. H$ X% c# l# j- o
, x1 A; e& k- P9 @The program will execute 6 different SIce commands located at ds:dx, which- Z) |9 d: U; _0 B" `- M! Y& l
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( R7 [+ P, J# M$ O
/ M; E! [, ~8 q" r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 t7 r2 W. v' F) v9 a
___________________________________________________________________________
, i+ Y" W2 J9 N( a/ c6 f4 n$ |
7 Q. u: [% r% a; ~7 n8 f! d
3 h1 _3 P7 B5 [& S- `Method 031 {4 X6 k4 F, X6 S
=========9 U+ q* n6 o6 n9 S
2 F/ q1 o* E+ y* K: K oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- r; W% [* X( J(API Get entry point)
* U5 c( z' `& I0 z+ z* _/ _
+ l, ~5 w/ _$ n+ |! b v
3 p7 M% _8 H. ]9 G+ F; @1 |2 u xor di,di
* t: ^+ j* U/ V) X mov es,di
H. o! M0 x8 W$ @% v- H& u! ]7 P& D mov ax, 1684h
. y& z; y7 V( G& |) v1 J mov bx, 0202h ; VxD ID of winice
: Q) }% E( F$ ]( q- r int 2Fh4 `) A4 Z/ K; O7 U- Z, x5 o% p
mov ax, es ; ES:DI -> VxD API entry point
# t4 ?" F! L N( W* A, `4 R3 W add ax, di* n' n+ |) t# x- i6 k) |" g
test ax,ax
/ Z: f+ q3 E: V& s8 B5 x jnz SoftICE_Detected
: G! C9 K5 _6 S& F$ m/ o' V! B0 n& [
___________________________________________________________________________
# M9 w# ~ N+ |' D0 o7 p1 R N8 q( W# h# E6 s% C
Method 04
' J8 \$ q/ U8 C# j" Y s=========0 V$ E/ f O. [" ~# T j
F+ A" o+ ~7 h; b1 `. {
Method identical to the preceding one except that it seeks the ID of SoftICE
9 |. o! \/ c& CGFX VxD.
& T* X) x5 K, d& R' s* o( m, V) ]6 y
7 d ]6 v. O: F5 G. J" ?0 a xor di,di
2 Q2 H6 o5 G9 _ mov es,di( o7 }& W* Q; C% G5 W
mov ax, 1684h
4 U+ t9 V5 r( |. R: a mov bx, 7a5Fh ; VxD ID of SIWVID$ V. Q: Q3 H6 p
int 2fh3 c2 u. p- O! m$ \
mov ax, es ; ES:DI -> VxD API entry point. w$ A5 ]. ^( X! i: X8 p( ~
add ax, di0 t! q7 K0 x7 h$ r
test ax,ax$ m h5 Y! t; k* L% _
jnz SoftICE_Detected
8 m# z) U1 W& w( m5 w8 P0 U# i8 R5 u) u+ ~, ?
__________________________________________________________________________
' l& j" @ Q6 k
2 I/ h0 m. k: g( m- q7 L% j& E! K! r! J9 ?5 N: {
Method 05
) X I: X2 x: P; T! B y4 ~=========
5 B7 c1 ~+ E1 m
5 }3 M0 b! \& } a' gMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 n3 w. a, m! ]9 F Ddebugger. It calls the int 41h, function 4Fh.5 q! W7 u5 m. v; A- P9 m
There are several alternatives.
+ z' v) {) n4 ^# `0 f& \
- k) b9 k9 x8 f8 g/ p5 D# `The following one is the simplest:) j3 ~8 m j( B7 v& Z3 ?4 w' v
& J1 d: [6 `# v mov ax,4fh
! k1 {0 B) J* I/ z* H- [, x int 41h- J" x, N" b2 E; F
cmp ax, 0F386
- G! g+ r# i! ?* f. }9 d* z jz SoftICE_detected: T/ d" Y" V2 t$ P+ l8 j8 _
. ?! l' v3 M6 a ]
) X% m' g" }# L& X- ?8 |Next method as well as the following one are 2 examples from Stone's & c; _% p" a# S% g
"stn-wid.zip" (www.cracking.net):: d6 Z n* Y+ d' T
* p8 t/ r1 h& U8 X( M, Y7 p mov bx, cs
* z* j7 k, _; M; ? lea dx, int41handler2
- F" M7 `6 r4 N t6 g# T xchg dx, es:[41h*4]
5 Z8 B' d. F7 g$ X" n4 ~# E$ Z" p; e5 Y xchg bx, es:[41h*4+2]
0 Y: m! z7 [7 Y5 Q mov ax,4fh
: ]: S O) E9 f- I) ~& W, I/ X int 41h
$ {6 ~) j# Q, o3 x: s1 ?4 D xchg dx, es:[41h*4]
) k4 o0 }6 i% M) c2 z9 N& u xchg bx, es:[41h*4+2]
( |8 ~) m {% _6 b# A$ T cmp ax, 0f386h2 g' W% L- i0 F% I3 E8 c
jz SoftICE_detected
0 k3 |. t$ x% T4 B
+ x. v6 S. ]( b9 G% _3 x& k: @ oint41handler2 PROC# @/ V5 `9 ]. }1 n+ |7 V
iret
4 o' M: C& j6 w7 h6 Eint41handler2 ENDP9 }" Q9 `2 R+ p# [6 L+ V0 b f
4 N7 b. G2 L3 G! l" ]; d5 f
& ~5 t; i' {( Y7 E$ ^# i_________________________________________________________________________# m- i, j5 o- s- k
8 x, f6 q3 b+ @6 }" f3 ^! T) M; i
; I1 ]5 Z( A! H; C0 G9 V; Y) c8 P
Method 06
5 Z8 f( y" V6 ~=========
6 |: a T- b& L: ]& ?6 h/ O4 N, r/ C. {2 I
3 _; x5 ^6 `7 @/ a6 H1 @4 W
2nd method similar to the preceding one but more difficult to detect:
" B& K' I; {: H7 e! ^; g4 @
. U7 ~5 u! C9 {1 N3 _) O
7 e2 H( |! n p: `/ tint41handler PROC: U1 l2 [$ C; c$ E7 H/ M
mov cl,al! f* I$ L3 B- _" d+ e' L! `
iret
1 `/ c9 F. E7 ~. j1 kint41handler ENDP
4 N" n+ S2 r, T& J7 i# a2 }3 I( ~4 Y, o, i3 \: n) ^$ k
7 J6 A3 N% [2 n4 d- q+ v, P2 y
xor ax,ax' u9 k/ A" k2 v* e3 G$ K- @3 P
mov es,ax
. k7 V' i# N5 B mov bx, cs
2 c3 L @7 H/ |9 v' s* b% e lea dx, int41handler8 U+ x7 z/ s% g' D8 X
xchg dx, es:[41h*4]: T% n. T' V' q& a" t- p
xchg bx, es:[41h*4+2]# K' {) }* x: t
in al, 40h% L; g/ F" ^8 h6 O9 V! M# {4 U
xor cx,cx( w. j v% a. {. ~2 b- n+ A% T
int 41h
5 ^' R0 _& |/ z7 k xchg dx, es:[41h*4]
/ d$ m+ q0 `+ k( B3 n; U$ _ xchg bx, es:[41h*4+2], T# a$ |2 i7 a$ @9 d- R
cmp cl,al" v3 V ~" y- j) I; y9 q D
jnz SoftICE_detected
9 [& ?6 T; @+ j! K: ~5 u/ a
8 A* p0 M* K) |! o6 X7 K' \( x_________________________________________________________________________
) g& p! a: X0 d! c' d- U! J' N% n! O6 X, m
Method 07
$ p& f5 z8 b+ I: P: m z. i7 B7 P========= l9 M8 m6 `* L, b) h( ]
5 q, o2 t* [# i: S
Method of detection of the WinICE handler in the int68h (V86)' u( U0 z# C- e! c
+ X0 k) H. P, ~ G9 p mov ah,43h t# J# R1 n* P
int 68h. `3 e& m+ }5 G; {0 V( T
cmp ax,0F386h1 o! [5 p/ L b3 n: |; Z
jz SoftICE_Detected
- F/ I2 A, W/ v6 V/ h8 y6 g1 x, y
6 p, d; q: |8 X, y$ I: v( Q
3 u$ d# t! |7 T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# t$ n. q% u+ n app like this:
& ~0 n* A! M7 ~6 Q( k6 e; `* o% c% x6 v& N' i; H N$ e7 v
BPX exec_int if ax==68
9 y3 P8 P3 J( y2 X3 ?6 { (function called is located at byte ptr [ebp+1Dh] and client eip is& X0 ]: {# A5 i
located at [ebp+48h] for 32Bit apps)4 h* a h7 x$ D* _/ r1 m2 n& n
__________________________________________________________________________. Q% S0 n3 d$ d' P5 Q# {5 N0 B
7 ~! C0 A$ _( C
) `9 X/ s' `8 RMethod 08- _" Z$ j1 E. m- q
=========
! L. D" K6 s0 I6 v% d7 J a
7 O6 _8 B$ K% c/ TIt is not a method of detection of SoftICE but a possibility to crash the- b8 [3 t8 s$ J" c6 l( L
system by intercepting int 01h and int 03h and redirecting them to another/ T/ E8 F& @/ Q$ z) T4 w' O' ^
routine.
9 H) X4 f0 _; d' }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ s- M6 s* [: C$ d2 T- |4 v$ U1 Hto the new routine to execute (hangs computer...)7 V; m5 N0 `7 K9 ?- B
# {# |, V6 d: B mov ah, 25h
# O9 t8 M/ _( {' ^% r2 U5 C mov al, Int_Number (01h or 03h)
: W% C3 Z+ P- k( @4 e0 R$ M mov dx, offset New_Int_Routine2 L7 i8 m+ y f9 }
int 21h1 K/ {2 v4 s# Z8 i Z* U6 |7 G
! F; w4 Z: U! t; ?/ V) B__________________________________________________________________________
( i& n: `* o& |$ t" r+ i% Z1 u1 b. z; k
Method 096 P5 r8 U/ M9 F" s
=========
( t$ r& k# K8 m- H/ d# m& {; f6 j
4 L N' M4 g0 J1 H' C6 lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# R; D9 w3 X# T' W2 w
performed in ring0 (VxD or a ring3 app using the VxdCall).. w8 k1 x. M+ d& V$ g- F( N
The Get_DDB service is used to determine whether or not a VxD is installed6 o4 T* [" J( N( i- \
for the specified device and returns a Device Description Block (in ecx) for! b7 N/ z# U/ e( c! ]
that device if it is installed.
8 L) U4 J: R7 A$ o
7 j& U8 ^* W4 Z6 l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: Z" Q: @" \0 Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 y( Y3 M: D, v. _% g" X VMMCall Get_DDB
+ k7 p J! i% e" _, i @) S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" }6 c* t2 g( r4 [% V
+ o! @" a1 Z8 |. U# v( y
Note as well that you can easily detect this method with SoftICE:
! p2 Q% j, g G. \ bpx Get_DDB if ax==0202 || ax==7a5fh
3 c! m* J# E4 V# I
. ~5 f- U& S( C5 y8 Y3 b3 f__________________________________________________________________________
: F8 H' P4 [ S& k$ g/ `
! y5 s+ H+ S" ?' s8 g/ ]: mMethod 10
0 L' y9 ?7 b+ x6 t- A7 z=========
1 g. j; q! N/ H c( d5 j) o
2 m9 [9 ~, G: N! n F* I=>Disable or clear breakpoints before using this feature. DO NOT trace with
) s2 o+ a @1 M3 m SoftICE while the option is enable!!
" B0 Y4 b/ N$ O0 u* w$ S
5 q/ o+ W( o* p3 _0 b0 ]/ fThis trick is very efficient:: e$ q/ R( W5 w, J3 p0 b3 L+ @5 |( b
by checking the Debug Registers, you can detect if SoftICE is loaded4 P9 t: T' ~. v- R7 V" i2 s& J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" i& \' Q( k& S: f7 z& wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ y5 T# U$ q. }3 a3 Kvalue (in ring0 only). Values can be manipulated and or changed as well
: E" @ M3 q7 z% G% o. e' S(clearing BPMs for instance)
# w" z4 S8 n3 o
1 e/ [% X k& u& `5 [0 S y__________________________________________________________________________
4 Y; ~2 t/ H* b M h8 P% W: ~3 X( \( }
Method 11
* ]. ]3 K% F B) C: c1 h5 T- ]=========( g+ G5 }) M G0 u( ~: j! @/ T$ t
. A9 X- E. \( W) u5 }& P A
This method is most known as 'MeltICE' because it has been freely distributed2 Y! p! j0 ?$ W+ F) L0 H; h
via www.winfiles.com. However it was first used by NuMega people to allow4 K. L4 I% N+ p& l
Symbol Loader to check if SoftICE was active or not (the code is located
8 G, T- v& J0 @7 B6 zinside nmtrans.dll).
& t* b$ y( H3 V6 S0 P: Y$ r0 {7 e! [$ w# K2 X/ Z, V y; y' Q
The way it works is very simple:
: `$ u `* |+ {, PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 o. ~3 A7 ?( H+ O/ n7 X1 rWinNT) with the CreateFileA API.
6 H1 P$ p+ c0 W$ X
* }$ m# V$ Z- B% wHere is a sample (checking for 'SICE'):
" I9 p: B! [# E- M: S8 ^7 d- e* i4 T7 g/ |* F2 R5 r
BOOL IsSoftIce95Loaded()" C. P# u" H4 T: Y u
{7 O, h; y" a" x
HANDLE hFile;
, {5 t) L8 H0 m# f) e% ?$ ~- J B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 L' D) `2 b" O/ t1 r: I# l& j
FILE_SHARE_READ | FILE_SHARE_WRITE,4 E- U9 [5 v3 Q* p7 h. _ Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 ?# `6 t5 z; K if( hFile != INVALID_HANDLE_VALUE )1 M2 b5 g- t+ w
{& q! O, D2 ]$ ^5 b1 F# p# {
CloseHandle(hFile);
' X' j5 W! H. x$ w& L5 [ return TRUE;" {) o7 t9 ~/ r0 N
}6 K. L0 _. X, N1 v) l
return FALSE;7 p' ]# t7 P7 Q$ ~3 W$ o
}
2 Q& m q1 T. I4 z
- P" P. S# ]+ ^- e' b$ nAlthough this trick calls the CreateFileA function, don't even expect to be7 y( a" u' h( U7 Z/ V. D- A1 [6 T' s
able to intercept it by installing a IFS hook: it will not work, no way!) f0 X- c+ e/ X$ ?; { W1 s6 f4 K8 w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# z+ w) N8 B1 l! g$ |) m# T& D r& V
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) Q2 c& f2 @4 ~6 m6 x; M9 S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 C" C/ ^3 N5 \& [6 S A
field.6 c" N' ~6 V6 L- a
In fact, its purpose is not to load/unload VxDs but only to send a 7 t- R6 I9 p' I
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: ~* C4 e' E Q ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try! o! f) c- ~/ q9 l% _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; G0 a1 c$ q+ c T" r
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 D7 y0 S7 o2 i; Y6 i5 W
its handle to be opened and then, will be detected.
1 |9 H8 V, q3 e3 k+ H2 z4 OYou can check that simply by hooking Winice.exe control proc entry point
+ i+ t- e" S1 N1 S, Jwhile running MeltICE.9 r' X7 G# Y) m1 L4 p7 E. Y2 E1 C' k
* F+ j9 T2 \, m8 }9 A8 f
# j/ b2 t2 L/ J% ? 00401067: push 00402025 ; \\.\SICE: ?! K4 O. G4 x6 g- Q
0040106C: call CreateFileA5 H2 e& ?1 q N3 D$ J9 s
00401071: cmp eax,-001
5 L w7 W) v9 m7 d# e 00401074: je 00401091
I n. U Z( j% o! V; D- _3 I( u; ~* A0 l. }- l' o5 G
! r: [8 `6 G) P1 [3 R
There could be hundreds of BPX you could use to detect this trick.
- s1 G) W" H0 v-The most classical one is:
( P, c% f$ U2 ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, N; @# q1 U3 u' i& W+ ]# J5 V& ~
*(esp->4+4)=='NTIC'
, {3 V, }5 `+ K) H: Y8 Z
" u& ^$ M& t t1 g9 O-The most exotic ones (could be very slooooow :-(- n. Z, y8 \1 ?' [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 r/ K3 [* Y9 s& j( W ;will break 3 times :-(( W0 ]% O& W! h: {
% {" G" ?9 d2 H, s+ z- L, F" i+ ]-or (a bit) faster: % V3 a- W3 w& R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ X* k K o" O: ~$ x0 e
4 `5 I# J" d8 q- h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ U+ Q q3 `+ L2 `3 X E! K& n ;will break 3 times :-(
/ c9 A! g o8 t6 z0 \
3 n: c* B, y; k1 O7 \% b Z0 u-Much faster:
6 G3 J3 J0 n# r9 z+ j& ]/ U* Z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( @$ b/ s/ I5 Y) `: F: X. g3 f9 V/ [$ r2 m" y$ y% I' V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 V1 C8 t' }$ k
function to do the same job:
3 J' Z" U' d6 r( t9 }0 K; {/ H ?5 a0 r& c( ?9 u. s
push 00 ; OF_READ
+ j6 A- V0 M, V9 `( {& F0 P1 b/ l mov eax,[00656634] ; '\\.\SICE',02 K+ j, X- @! A
push eax
& ~/ V( E7 x- u$ K3 e6 I! o call KERNEL32!_lopen, h' Q Z- t; z; u0 m+ {
inc eax" e3 i4 [2 v9 f5 |- U# {# v8 R6 N5 E# R
jnz 00650589 ; detected# w" O- f+ j/ S# v+ U. ?
push 00 ; OF_READ
9 J3 ~- t& z/ m* f8 F mov eax,[00656638] ; '\\.\SICE' ~4 V, q! d( ?9 P; d& _7 D
push eax" l8 _/ S, Q# D1 L
call KERNEL32!_lopen
7 v7 x- W/ t6 v) G- h7 c5 l inc eax' I5 q+ F! D W7 V
jz 006505ae ; not detected5 ?+ x" E# h) T( f2 H4 t
5 \0 I9 V0 q$ K; L( D7 B& E. O1 t
8 L, U5 ]4 y( c8 ^% b/ ~! g__________________________________________________________________________
& C0 I% S% S+ C$ d2 \- Q
% h O9 R0 m* V; u5 nMethod 12
' ?! q8 Q H' [; G% z9 @=========, ^5 w8 h: l+ j' T1 M3 a% y, ^5 f
" B2 x6 q6 |6 n7 c" ]1 T
This trick is similar to int41h/4fh Debugger installation check (code 05
+ P$ t! k8 {6 S& 06) but very limited because it's only available for Win95/98 (not NT)
/ Q# m9 l6 a9 N& T7 I& vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.; h3 X% X5 t* I
$ I3 w" S6 t- f1 d( R0 h push 0000004fh ; function 4fh* T' D, P% \. M: e; o& E$ W
push 002a002ah ; high word specifies which VxD (VWIN32)+ H. S+ c* r/ x$ ]' w
; low word specifies which service
, `) d. l }7 y( b: R. O (VWIN32_Int41Dispatch)
/ }' m( w, M0 A v- O* z: U& v call Kernel32!ORD_001 ; VxdCall
) ?; c; P. h" N cmp ax, 0f386h ; magic number returned by system debuggers
5 m' }2 ?3 M: X) | jz SoftICE_detected, u2 n4 B! q0 C+ G
9 I9 A2 b0 x. N- Z
Here again, several ways to detect it:
# A/ @& j' a+ B: L4 L m: p& V3 V4 U
BPINT 41 if ax==4f8 X7 l6 m+ P* b( n
' F4 X5 k) a( n! \. y5 A" S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 q; s) F! N1 n( s5 g/ g% S5 O! P: h/ f% f1 ]3 {* A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ a' j0 [7 l! w* Y; N# K l# R
5 d3 }- i" a4 I. z; b5 f$ `/ L& w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 I# p, O: e( Z0 ]; ]! Z, O) M/ x0 O3 i- ^' ]& H+ k
__________________________________________________________________________: n) Z$ g+ M4 e+ M9 K; ~
4 D0 d& r* [9 j6 @3 [- O
Method 13
9 O6 M* S! h3 l! v# Y) l=========
$ O: [4 u# s' {' D1 x$ h( c& x( F& L# ~" `" b5 F( E
Not a real method of detection, but a good way to know if SoftICE is: G6 d$ w l. W/ @3 L( X2 S5 a
installed on a computer and to locate its installation directory.
' y4 v* _/ Z+ e+ `6 |% E8 s" aIt is used by few softs which access the following registry keys (usually #2) :
) I: ] E7 d8 J$ p+ i
4 k% j! e" Q& }& }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 G6 z& }) V+ a" ?3 ^, j\Uninstall\SoftICE
! G; M2 x5 D r: c" m: i! a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 `6 H4 d; l$ T* v& v" I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 _ M* E' l( u8 M* p6 F# `\App Paths\Loader32.Exe) I3 a; o9 D+ p8 g4 t9 \
7 [& G+ w' y) U
1 j9 n( [$ \ j& c5 eNote that some nasty apps could then erase all files from SoftICE directory9 W" O% f4 V: T- Q
(I faced that once :-(
$ c' X) @9 R" c3 Y- s+ b7 {' f
3 i5 ]' C5 R) _* ~3 Y- h E& X4 G& OUseful breakpoint to detect it:" E ~8 V( r) y# a
5 i$ F! A4 J: M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 S) _- X" |0 g2 ~& {5 u2 }% _
1 Y R3 g0 T$ s& h* K! I__________________________________________________________________________8 M& n, C* |- [2 h% m
# O" c5 ?2 |+ V W" Z6 r; D( ?' x3 \$ ~. \* r- @
Method 14 - [! h) Q3 |3 f" n9 L# w8 v
=========* Q+ h, V0 e$ u/ p$ f: f0 q, d- [
; j3 q) p3 S+ I: a: x" kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 L* }; B7 h o' Bis to determines whether a debugger is running on your system (ring0 only).% e3 g# y- U1 p: h4 m+ Z7 h7 {
' @4 p _/ ?+ F: n
VMMCall Test_Debug_Installed
" X1 @) E( A- b9 s) a6 z+ R) ` je not_installed
8 l/ y4 A0 F. i! w
) U, n* L2 F! ^8 V1 B( V5 yThis service just checks a flag.
; Z, ?6 j; r" e# y* I U: {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡