<TABLE width=500>% [% `" H: S* {) \! m5 |4 U
<TBODY>* d+ Z5 u3 l+ B5 _' a5 P
<TR>
; i( m- {- a0 o* Z) |: Y% p<TD><PRE>Method 01
, l- i1 g0 [; R! e T; i=========
s+ F( b1 |* m) F# x
& t+ D7 S+ _' ^0 |- N, [5 m+ ?This method of detection of SoftICE (as well as the following one) is
$ @2 ~" v' } d( ?used by the majority of packers/encryptors found on Internet.; t3 l2 Z# {# z0 o. N+ m
It seeks the signature of BoundsChecker in SoftICE9 y, o3 i4 d6 n6 H, f9 q3 l
8 P( d* B2 q) C" n1 Z mov ebp, 04243484Bh ; 'BCHK'. K! ~. g- @; f) w! L: c
mov ax, 04h# ~8 g5 E; `# G7 ?: N4 `' Q
int 3 - ]" e" Z( [3 q0 q5 |
cmp al,45 u. t P- ~$ w2 v8 v% a8 m3 \: k
jnz SoftICE_Detected
1 P1 s$ K5 _$ X" q1 H& u; ]4 R4 B9 y* J+ m k$ P
___________________________________________________________________________
+ K: Q0 T0 ?3 ]; l, X6 a* t( Z/ V/ @
Method 02
5 W7 N1 o# d: q: t' U) m' L. t0 s=========
( g6 u" z: V2 t/ G3 ]
' V1 Z9 }/ X% G+ m, c/ jStill a method very much used (perhaps the most frequent one). It is used
+ m* W4 y* R: l0 c5 f1 ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 ^# T# u+ ]- H; E) ?
or execute SoftICE commands...; d# T$ t6 Q8 ~# t3 U1 i9 q
It is also used to crash SoftICE and to force it to execute any commands
" V6 `5 N- K0 s2 A(HBOOT...) :-((
) u& a% I4 `: [ v6 t3 C; @7 ]& V" K
Here is a quick description:
/ P' M6 ^ E# {5 b-AX = 0910h (Display string in SIce windows)! J0 s1 @% c* T! T3 `7 n' ~# V
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" ^% z/ |$ o; T: l1 F4 S7 o/ P
-AX = 0912h (Get breakpoint infos)6 w* a) R" L$ W: _! E
-AX = 0913h (Set Sice breakpoints)5 B0 X' @6 v @
-AX = 0914h (Remove SIce breakoints)' q9 n Y- W6 S) O' r A, \+ s
$ b) F' E% ^- r+ P4 N/ U/ ?
Each time you'll meet this trick, you'll see:/ N, Z8 l4 z9 e2 S. R7 d
-SI = 4647h! ~3 ^3 x. b: F9 \, {9 S
-DI = 4A4Dh2 {' C3 `5 Q) S" n. i. n. S
Which are the 'magic values' used by SoftIce.
1 I! L0 q8 \7 C. F, C9 M7 JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' g) [# [% `6 a" i0 k
1 S: T0 f4 p# y4 z# E1 Z* z$ e( }. IHere is one example from the file "Haspinst.exe" which is the dongle HASP- S5 h% F! D7 ~8 }* |$ r4 K
Envelope utility use to protect DOS applications:
# M1 p: ^$ t8 k9 V& J9 @
8 `- c4 y/ N4 t3 `$ ^! E+ w
5 I" K$ W' A7 m! a8 j; N* A0 E4C19:0095 MOV AX,0911 ; execute command.# \+ q; w* e/ S+ o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ y, G" M' o' x6 V+ w9 ?6 V0 G9 {
4C19:009A MOV SI,4647 ; 1st magic value.
# c- i7 y3 K7 I3 b5 B" Z: O4C19:009D MOV DI,4A4D ; 2nd magic value.
: c- x" ?# |* w, p# F' R- W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ q& p- J! |" E g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, }: @8 q3 G7 k8 i8 F/ H: ]
4C19:00A4 INC CX
# x. U, L" L# V& m( N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ T5 B5 h5 L4 y w8 x% B5 N
4C19:00A8 JB 0095 ; 6 different commands.
# s- ^% d1 K! u1 t4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' K" {( W& v4 _; o% J* S* D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 `$ X- _. A. B6 H& W0 X
& I1 {, N: s! _. s/ A* v) dThe program will execute 6 different SIce commands located at ds:dx, which
3 p* H+ q4 L0 Z5 W a1 _, `are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" g4 m# C6 y3 F* o
* U5 h0 [6 Y- _! G* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 e! W. ]; U4 C ?% M' j8 B+ W___________________________________________________________________________; d% w1 u4 J, o1 ]: S
& X3 n* k) t! i9 H
0 c6 O0 p8 A) F1 }2 H0 y
Method 03
7 |% U0 I1 r! Q3 C* D=========
, ]% y" z# p3 G) a! o: B# Q/ ]+ G3 d
U/ B' z3 O8 d: pLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, J9 Q% U+ _2 f* p1 r# a6 l
(API Get entry point); ~6 S- i2 M; v- e$ {, D9 d+ F6 b7 k
5 B" ?0 d3 Y+ y* I2 W
8 t' W l! q8 z0 K S \
xor di,di
- H# }/ Z6 P8 i mov es,di
) y5 |2 r: P! M! N1 S mov ax, 1684h ' I2 g8 Z6 r; K4 c2 F7 A+ _# e
mov bx, 0202h ; VxD ID of winice
1 b4 x) c2 [6 I# U' Y, B int 2Fh' j6 |1 V: B6 H& u) F# \
mov ax, es ; ES:DI -> VxD API entry point
& f- [( J! e# }8 y2 R) F) ~& I add ax, di
, M9 q$ {' s0 Q" v test ax,ax2 G. T& b. x$ a/ j
jnz SoftICE_Detected
1 p5 n; {/ f- n& A0 w* v* t& n \+ |+ l3 F* r$ a' ?& Y# r3 o
___________________________________________________________________________
7 x8 `/ { H0 |( @& O2 `# M' A( U1 J+ s( {
Method 04
: d* J+ W% f" g=========
/ d5 e |5 G- P8 Y$ Q
! E. F7 l" c( x- P- fMethod identical to the preceding one except that it seeks the ID of SoftICE, T2 b! I# K6 W( V8 Q8 v( p
GFX VxD.; f' |# z& c; E, u
, w; q5 H3 h% ]9 L ~! Y) U) V3 N
xor di,di
5 Q( Y L# p- p" R6 g6 g mov es,di
, s8 |0 A3 j4 Y; I mov ax, 1684h 0 b! r. Z6 \8 N' |* ~/ ^3 N9 Q! X
mov bx, 7a5Fh ; VxD ID of SIWVID
5 n W: T. ~3 T9 ~1 Q& c% b | int 2fh
# L5 s- n* y; Q5 Z mov ax, es ; ES:DI -> VxD API entry point8 f1 y3 y+ s$ u( M5 n
add ax, di# n5 [$ Q3 o. B0 C2 s* v3 Q
test ax,ax
0 k' F' u T6 d$ i# p jnz SoftICE_Detected7 Z; h2 ?7 P# {. `
: e" W6 q5 G& w5 @1 P# h__________________________________________________________________________
0 w! \2 @4 N* Y* z
, Z4 g* T) T; n9 D7 Q! V& T2 o# }* Q! k9 H! k
Method 05' Y: D0 Y, e$ ~8 q+ {
=========' g# p: \" r" M, x1 [8 f
! u( w3 e- ^8 CMethod seeking the 'magic number' 0F386h returned (in ax) by all system) G) t& X7 P, Y8 e6 i
debugger. It calls the int 41h, function 4Fh.; [$ H8 b" \1 Y6 j7 t. V5 J9 ^
There are several alternatives.
$ l( @: b7 L9 z8 e+ ~
4 l8 V* y( V1 @) i% CThe following one is the simplest:
+ l; ^: `) }& H7 A/ I3 s/ H, W! ^! ~. ~# A) F$ o4 I2 D$ ?
mov ax,4fh
0 E8 t$ @* x- R int 41h
2 C+ I4 ?5 ^ F* j, @" u cmp ax, 0F3868 L6 @9 ^( {3 C' o+ _* Y
jz SoftICE_detected- I- h! h& j8 w* x+ e
5 k8 T# X$ Q" }) n: A6 d
6 U( ^5 \1 t! U) {! x% `
Next method as well as the following one are 2 examples from Stone's U i6 ?% z$ u8 p1 c
"stn-wid.zip" (www.cracking.net):0 F! m6 c6 [$ K6 L9 _" a; q
8 Y$ E% N& n' l3 F; y' N# K mov bx, cs
) x6 I4 G$ u0 n1 x lea dx, int41handler2
" \0 D) W" A5 H* D xchg dx, es:[41h*4]" z8 @5 K1 }1 `" z! z& d
xchg bx, es:[41h*4+2]" P2 D) Y+ x0 k% T
mov ax,4fh
# A* ~/ X3 o* K int 41h
4 b8 m$ S* a5 t4 h xchg dx, es:[41h*4]
; ]( b' H$ T& c& l& i. S xchg bx, es:[41h*4+2]
, y* V) D# m4 a$ f& B3 a6 N cmp ax, 0f386h
, A6 z# k3 y" h. I) b* t$ C jz SoftICE_detected
) a" Y- x9 R2 Y% \6 V0 D
/ h* x" B2 a# V( _3 }int41handler2 PROC
& _; ^, ?4 Y$ H6 d) h5 _2 W iret& r" X \# b! s+ m: ]8 L W6 D! _$ T
int41handler2 ENDP+ Z/ [9 n7 h) U/ v6 W
b0 A6 K* j& C' `/ q( E J/ ~2 c) r" D! O3 w K$ p
_________________________________________________________________________2 I! J, V# _3 U0 F* t
1 y1 C0 z. e2 @) ?2 t* E% z$ @1 s4 Y
. H5 k% ]8 E0 m6 tMethod 06/ `( D) Q; f" ~, b3 D
========= b) i; K3 g0 T
9 X1 A. q! m. N( m! J; g6 J
& H8 q1 V ~4 R/ y0 G2nd method similar to the preceding one but more difficult to detect:
5 g8 j1 s3 Z) h( Q1 U8 d/ b- ^6 K! \+ Z( s0 z% {7 [- i
% n# A7 K5 N2 X) A' ?4 lint41handler PROC$ \' u- z- q, N+ ~
mov cl,al& F ~. B# K7 t a
iret' l9 c+ _: k' r
int41handler ENDP
/ U- P. E5 u% k3 Y: ^! E. n" e' U+ \9 j' `( u) ?
& b1 R3 H$ `+ @) M5 ~8 { xor ax,ax
5 ]8 Y7 K! t- q3 |0 L" C# X; ^ mov es,ax4 D3 o' t+ N: ~ {' ^, @) h7 v
mov bx, cs* h% r& n' K( {1 D: |8 n! y$ f
lea dx, int41handler
! s& I. l; A( x xchg dx, es:[41h*4]
/ V3 j! ~5 u+ B' e! P# g xchg bx, es:[41h*4+2]
l% w9 u5 g3 f in al, 40h4 C5 `* l5 l. H( J7 ?0 F* Q
xor cx,cx
" |6 [2 c* R1 _7 I" K) i4 Z int 41h
; B8 y0 I- w5 x& c xchg dx, es:[41h*4]2 b1 R& ?* w3 z2 G
xchg bx, es:[41h*4+2]
6 G/ P+ W, F" ^6 \9 f/ o3 c0 c" | cmp cl,al4 G0 f3 K$ ]- L+ g! [4 p& A
jnz SoftICE_detected/ W/ e/ C; n8 Z' _- c- ^
6 B: c: b. Y! Q# _0 x4 Q_________________________________________________________________________
/ Y, R- Z @$ L6 y5 F
) F; o$ h. Q! [. ?% \' ~Method 074 p$ }$ H t- X( V+ X( H
=========2 ] z) W7 i+ z
; C$ o& R) F; d* c
Method of detection of the WinICE handler in the int68h (V86)* {1 N# Y# ?* C' _( R8 I, S ]
1 }) K5 A% `) J0 U1 j/ I0 {8 v9 Q mov ah,43h
! Q0 S1 g% N7 y S: `8 m# ?# s2 B2 j int 68h: K2 y; r( n" r& l) B
cmp ax,0F386h
/ i G! ?& e% J7 n4 B6 X5 Y' C" q jz SoftICE_Detected
. ?" Y' `1 d: a- g8 E) H, i( F! b z& ~$ D, f4 S* ?
% _( r8 t! x) O- i. z; l( F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 p8 J* b7 ~% K: Y
app like this:
9 S( M$ t0 U8 w3 Q: k; m6 J5 Y2 j0 S
BPX exec_int if ax==68
" k8 {* [( n3 E7 z" S7 r (function called is located at byte ptr [ebp+1Dh] and client eip is
9 T3 [5 Y$ i7 Z8 e5 M located at [ebp+48h] for 32Bit apps)# W+ z- y0 b# ]/ o' V0 b _+ I
__________________________________________________________________________
' i ^- @0 y: _& c# l9 b3 j. m$ ^: S8 Q) s5 a! _
- D0 W q9 D/ t9 sMethod 085 E/ v6 X/ G) Q3 B3 m' `) N4 F0 {
=========
1 P6 l* b7 k! B( e) v0 g- l7 Z8 c$ @5 s. s
It is not a method of detection of SoftICE but a possibility to crash the
/ V$ F. A" s' T8 dsystem by intercepting int 01h and int 03h and redirecting them to another4 w/ D# F: g8 |
routine.
. P5 k6 j# |0 c% j$ y/ ^3 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% v+ \) A: j. ~7 L# K: T
to the new routine to execute (hangs computer...)
/ ]) m# O R6 g) _3 q3 P; C2 X6 H2 \5 z: g% N& t7 w7 i
mov ah, 25h. P# |8 X! V, W. N8 n- Y& e1 l
mov al, Int_Number (01h or 03h)
' I" C4 h" f) k+ V4 N mov dx, offset New_Int_Routine; |! d6 X$ f. k Q* s
int 21h r& X2 A1 F3 r2 N
) r" `$ E9 p# b__________________________________________________________________________; A* c! v# @0 H0 l! b3 U
. v( K6 z0 O. G3 L( M: i, cMethod 09" M( {; [' U* O
=========
1 s0 P/ T+ D( B9 i5 e1 c Q1 ^6 f: h1 v1 I6 D+ @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' ^2 d- |! l. V+ r3 p5 z$ c; E
performed in ring0 (VxD or a ring3 app using the VxdCall).
; I2 @' J1 r( L% rThe Get_DDB service is used to determine whether or not a VxD is installed
# y/ y5 H# ^! [0 }* }+ H3 `: efor the specified device and returns a Device Description Block (in ecx) for( X8 C% s9 t* D. \! F5 |
that device if it is installed.
; {, N/ c j* p$ x! K
* F, k* u, |/ Q- `2 Q4 T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 A- g' {3 S v. N' f$ y3 v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 `( t2 A% ?1 a5 ~7 Z VMMCall Get_DDB
( R, M# f9 n3 g3 _8 Q! [* W1 Q& m0 Y% T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 b8 C. W% j- {# g! J1 k
. e0 `1 B. b( [% DNote as well that you can easily detect this method with SoftICE:
7 J% U0 f5 n# @( R/ E bpx Get_DDB if ax==0202 || ax==7a5fh/ k2 B0 H, T, Z& X
; |& H, \ A" c
__________________________________________________________________________) x& r/ Y3 n& V& _ A' `/ N
`7 _* d1 y: K h$ i. uMethod 102 \- A- y7 ^5 F
=========
! P, Z1 ?' ?3 t! ~! j+ h/ _! i7 g& q4 Y4 q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! v, T6 a9 m1 t- d5 A! b9 L SoftICE while the option is enable!!+ A9 j! Y3 _ ]( u
7 }: U6 I M1 }This trick is very efficient:; F5 Z+ ^4 V4 ?& n7 m2 O
by checking the Debug Registers, you can detect if SoftICE is loaded* z; Y" E& ]( G3 J& @
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: U: z9 ?- R; d$ v2 c
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 v& A2 O0 w. B5 l" X1 \value (in ring0 only). Values can be manipulated and or changed as well
4 J7 v4 A# T5 M8 ^+ I(clearing BPMs for instance)
q0 c1 g" `% G( k [4 d; _( r% {
__________________________________________________________________________
R7 L f0 y$ V" g7 x. Z7 S' Q, D! U( L
Method 11. D1 O, k+ m3 w% P% x; |, s
=========
2 g6 z' @# H9 X% N, h& Q5 w# { b0 M# T
This method is most known as 'MeltICE' because it has been freely distributed5 s4 v! ^, X: `0 p% Z3 w
via www.winfiles.com. However it was first used by NuMega people to allow
) C! @; p3 r/ o3 n4 P+ z1 S5 mSymbol Loader to check if SoftICE was active or not (the code is located
+ A4 e0 l$ g. V1 X4 vinside nmtrans.dll).
* v( o: d% {* v E
5 O: L: @) H5 r+ h+ V+ ~2 X0 eThe way it works is very simple:
1 o% U# B* g) f: `2 mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for q, \6 f+ v q9 ~1 N
WinNT) with the CreateFileA API.
s! n. g! x; z( C$ G8 b
3 P" c; t; G5 A/ CHere is a sample (checking for 'SICE'):
5 x+ G, s" j+ w, s) ]; n- K; }) ~) |. W3 a1 |) |- u# T1 K
BOOL IsSoftIce95Loaded()8 u7 B7 v* h& i7 X
{
% H, _, ]- C1 f7 o1 G HANDLE hFile; * ?9 L5 G0 o- U* V+ A6 N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 y- X$ D: _$ ^. d! R FILE_SHARE_READ | FILE_SHARE_WRITE,2 h1 B2 Q* u7 B% O l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 C4 S1 t Y+ G" ]- q
if( hFile != INVALID_HANDLE_VALUE )* T: Q# w5 [2 p" y
{
8 o, s6 m: O" P/ y- K ]' v CloseHandle(hFile);
$ J$ I" f, l0 l- `$ J& n% e return TRUE;
, k3 D4 h0 \! M1 Z1 J ? }
/ S h/ f$ ^. R" ~/ p return FALSE;
* k* W: ? I1 u}
+ l, g# n2 X0 `3 m$ n+ z6 `) t( E" T+ A% b5 }5 }" E* r3 D
Although this trick calls the CreateFileA function, don't even expect to be8 l3 s5 o0 C7 e2 p- L
able to intercept it by installing a IFS hook: it will not work, no way!% O- L% E( Y9 o. W0 x% _" T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, U; h7 Y. [& y* K% q8 m/ yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ j! f; K9 ^7 r t9 Y) U/ k$ land then browse the DDB list until it find the VxD and its DDB_Control_Proc9 M2 {* M4 [* n5 k9 i
field.
8 `; z- b& j- |* ZIn fact, its purpose is not to load/unload VxDs but only to send a % u/ t' F" o; c4 ]3 L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 o* ?; t, ~3 e; {) F* @8 z5 [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 J9 H5 F( K: F5 }2 K' W3 t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& r. f# [, `5 iIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. i# U7 b/ o8 W2 [/ Wits handle to be opened and then, will be detected.
; W3 ?3 o9 g( A7 P/ F. SYou can check that simply by hooking Winice.exe control proc entry point0 |: C/ `3 c' }" X) V
while running MeltICE.* D. G9 A: Z9 f( C8 C
# `7 v4 L: e% V4 u2 l5 M" X" J- L" g
00401067: push 00402025 ; \\.\SICE; D9 I9 a$ t r2 [4 n' h" }
0040106C: call CreateFileA# S2 B$ F% @4 E9 ]# m( P7 h
00401071: cmp eax,-0012 N7 O' o" \4 i. k/ \9 q4 ]
00401074: je 00401091
( q: O2 L# |! d$ P8 P# X$ \3 `: B% w7 i/ D, T% w
( ^3 O& T; f' v# z( i, Q9 rThere could be hundreds of BPX you could use to detect this trick.: w6 t2 K2 n" Z0 U' f5 F( f+ P
-The most classical one is:
3 @" K9 f$ s' D# I+ [% n9 {& D# B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* D6 Y' o" D/ @5 P( M" H) e6 c
*(esp->4+4)=='NTIC'
1 e; s+ G& y: n* \+ W3 @; s9 H4 Y1 F0 j, x: O) t
-The most exotic ones (could be very slooooow :-(
+ j; e- G9 q) D; a0 d0 S" @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : ^9 ]) j, F, o0 S
;will break 3 times :-(2 a$ g4 q4 {% C; U7 q1 }* x
1 z" k* P$ b& e& R4 T# f! h5 M; g$ M-or (a bit) faster: / w2 w o# r0 x$ q0 R# R2 n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 Z' U% N, {' S+ z$ ~* R- C1 D; U
) T8 r3 {2 F7 O; B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 U8 R9 _4 x3 b+ I4 _ ;will break 3 times :-(3 i/ f5 }% Q x5 [5 J6 h
0 w) F: f+ q2 O$ q( o
-Much faster:, S7 _- G( A& }! |: I$ p3 I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. y W$ @5 q0 U
$ h2 E0 F4 m* }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ P( t, O- [" J9 Y E5 ~
function to do the same job:1 v9 |6 X1 N6 w4 l& {! B
" F+ V( b7 X( z/ \* O
push 00 ; OF_READ+ k% k# e) E0 S
mov eax,[00656634] ; '\\.\SICE',03 T6 j, d1 O5 P
push eax
$ j$ u2 e" |) ^ call KERNEL32!_lopen+ x% {0 J* z1 a* ^ h1 ?. p V
inc eax
* N2 U1 u* r9 z0 B jnz 00650589 ; detected
- b# a9 h! L$ _- h2 o2 a push 00 ; OF_READ
6 x6 |7 o8 P+ X" p5 a mov eax,[00656638] ; '\\.\SICE'# o& i% O+ f. v% G
push eax* Z$ P3 J3 H% I3 r |$ X) Q% q/ S
call KERNEL32!_lopen
8 @. D) e& u9 G1 o T inc eax9 C' Q/ u1 M0 a3 G/ S
jz 006505ae ; not detected& s! U7 x% ~& w3 u
! z& t7 l5 K6 }
, P( ]' B# U1 j/ T9 h6 { A0 k
__________________________________________________________________________- _$ H' e3 D3 R4 a/ G' e6 Z
, V, c: |5 D H. o2 ]
Method 12
9 V' E/ U6 g0 B: |+ X( H% Q. R. j& R=========& E- j) O1 T6 P' ?; |* m
* K% ]: [5 |, h1 r. WThis trick is similar to int41h/4fh Debugger installation check (code 058 t2 ]1 y3 V: U+ r& Q( b H
& 06) but very limited because it's only available for Win95/98 (not NT)3 D9 f3 I6 ]1 x6 ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 h% Q$ t8 M% S# E- Q0 G$ `9 Y
/ ^7 U- x2 @2 r push 0000004fh ; function 4fh
, K5 u) M- q1 p) h# O2 x push 002a002ah ; high word specifies which VxD (VWIN32)# D6 A7 [% ^4 Z% J
; low word specifies which service
# L* e7 {; ^; e (VWIN32_Int41Dispatch)
t4 i7 i" |3 t2 o7 v call Kernel32!ORD_001 ; VxdCall
3 j2 s5 H( w0 j6 B cmp ax, 0f386h ; magic number returned by system debuggers
/ v7 p* Z) F- ]0 y' f. |* K% v jz SoftICE_detected! \+ K7 x$ Y7 m* r% ^* X) b
) O9 V% Q0 Y# sHere again, several ways to detect it:3 l6 D1 \0 N3 Y3 c, T
0 @, ~9 v5 T3 }) L( M! G/ ?! q# ~8 B BPINT 41 if ax==4f: H3 G% }& `6 T3 D! @/ K0 W N
" `- F/ D' A! X BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 H9 ?6 r$ e5 `
: M5 M& G/ F4 q; b" m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 D7 O$ D! I K' P
B0 q$ Z" t& T7 G" D2 u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) D6 p: s: G4 Q, J+ H' A- t5 ^6 U) n0 W5 D4 x$ |$ d5 F* B
__________________________________________________________________________
+ } W* R5 e+ A$ r
% T v# X# F( H- v. W2 ?( BMethod 13
2 Y9 z+ q5 I' T8 O5 H k0 S" a+ y=========4 _& \, E7 H, j/ t
" {; L5 i# ~' O$ @% eNot a real method of detection, but a good way to know if SoftICE is
a$ \) b# R6 S& `/ j4 l1 Iinstalled on a computer and to locate its installation directory.
! P3 v) L6 r" o/ y( v0 qIt is used by few softs which access the following registry keys (usually #2) :
5 e$ ^" l( {/ t2 G( h' B7 z, V( S: P; ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# f1 a' s! j2 x
\Uninstall\SoftICE
, s# R+ x' ^. `6 K9 M1 W u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 h: a, a$ ~4 a- A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; c/ k" H2 r. e7 ]' ^
\App Paths\Loader32.Exe! d3 H: { h, E7 ~# s! {
# ]8 r3 c2 A$ w8 P) {
1 T: o2 k' i" b( a! x
Note that some nasty apps could then erase all files from SoftICE directory
5 v' F0 y1 X! V& @) S' R( `(I faced that once :-(: n2 R0 O! y- k
- R% o7 N7 J/ I- M1 t+ zUseful breakpoint to detect it:
p3 H; o; d2 n X6 F1 b1 F/ s# } q
7 b- C5 b, e8 A* y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ u- w' C7 a' T3 @' u$ Q2 D% N0 S( }
__________________________________________________________________________
1 m6 @3 r% e6 U; w& g% N! A* |3 ^' a8 O
# D1 U( B* l' `Method 14 3 N( ?9 w3 [4 h% F
========= v: f- I8 d' c
! f) |4 I: l. h6 i- K# R& g V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 r9 a; c% z7 ^4 A8 J7 P. w; }" J
is to determines whether a debugger is running on your system (ring0 only).
2 _% H' l& i# X+ ^8 `+ v; p/ a/ n9 b7 g6 X. T* W
VMMCall Test_Debug_Installed$ H" c2 L2 K* g
je not_installed7 z- u" D) u% B# B6 c
+ D- X3 B8 ?4 m; u# tThis service just checks a flag.
2 ?9 ?. H5 m0 g: M$ G</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡