<TABLE width=500>
4 Q) B) V3 P1 E, M# N% f( a5 Y2 X<TBODY>& \4 m8 t# ?" x+ W% A+ Y0 n
<TR>) f9 O- X5 K0 @2 B
<TD><PRE>Method 01 + B& Q" W% v) G9 o' a9 [+ x" m' X
=========' F2 I' i/ W0 U- R' j+ M3 N% D$ V3 ?
+ z: v* L! w: p7 D5 h6 ^
This method of detection of SoftICE (as well as the following one) is
4 _4 q. ~# p' [. s& [" ^used by the majority of packers/encryptors found on Internet.4 n/ d) R, E h2 p) r: S e
It seeks the signature of BoundsChecker in SoftICE# D; R, J( a' s/ B
# ?2 ]1 _8 d+ ]4 E
mov ebp, 04243484Bh ; 'BCHK'
; `* l& H! u5 `* S1 e; J mov ax, 04h
6 D$ z8 ^& J4 b5 [ int 3 ) O w$ E1 h- c* v8 F* q- K
cmp al,4
$ I, U: k9 C' A8 s0 h1 t. u; A0 ] jnz SoftICE_Detected' F2 R1 \+ \ T+ S" N- j# b4 U
- f# f# t$ a/ \, t( ]0 O___________________________________________________________________________& L* u; ^9 p3 J8 ^6 q
) }2 T% V- {' F- HMethod 02
. T& [9 y7 l* u: Y6 G=========" @' n7 X+ b O4 Z$ b' |/ T
4 c/ N% v, X4 H4 m+ i$ R. _# b$ q
Still a method very much used (perhaps the most frequent one). It is used1 [3 e+ T0 Q; V; }& W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% B2 y; @& n" k n. _or execute SoftICE commands...8 {; e! w; B+ v
It is also used to crash SoftICE and to force it to execute any commands
( P- D7 I* G- B/ |, n(HBOOT...) :-(( ; Q9 }. u! ~/ c
# T, N7 M3 y* \9 `Here is a quick description:4 p7 g8 }0 A9 [2 i4 U
-AX = 0910h (Display string in SIce windows)
0 [$ c% m3 A+ Z4 N* z8 ?- Q. u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; t, Y6 A- |. F1 E& B-AX = 0912h (Get breakpoint infos)
1 H E, p1 @4 T* B: c-AX = 0913h (Set Sice breakpoints)8 ^0 D% g1 P+ H: f8 Y
-AX = 0914h (Remove SIce breakoints)" c3 D) y* L8 m; ~+ \' ^/ ~9 x
! \% [3 }- }* I' ?$ ]1 u+ ]) o, |Each time you'll meet this trick, you'll see:& X4 b9 `$ y. `- [) g% p
-SI = 4647h
+ |4 ~ J1 B9 m7 p" l6 q-DI = 4A4Dh
$ w8 u! `4 H& }5 f h+ e- E, QWhich are the 'magic values' used by SoftIce.* J3 n' X+ @' |$ B
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. w, x$ x3 A" k
8 U! q' g, ~* y
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 z9 M# m' W, \* v) ]! V# j( E
Envelope utility use to protect DOS applications:
* n. M2 M: m2 p: ^. C( J! e3 R8 v( ^5 G/ v, V s9 L% k) }
2 P" v7 }& d1 ]4 n# c6 S7 s
4C19:0095 MOV AX,0911 ; execute command.
2 Z5 v/ o" ~7 C+ w& t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 ?0 F2 R$ H3 v) C8 K! h- N1 t
4C19:009A MOV SI,4647 ; 1st magic value.* v) k( m$ P, j0 S4 t0 F: r
4C19:009D MOV DI,4A4D ; 2nd magic value.
E7 k5 s; y5 a0 k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): N; C/ S5 ~1 n8 R2 I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: E: ?4 H J' e4 d0 @! ~
4C19:00A4 INC CX
8 E: Q C; V2 W- H T* u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 T8 s! C( k- R: m9 t5 |. ?* Z4 }& o4C19:00A8 JB 0095 ; 6 different commands.
8 J5 }1 H I& L0 P4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- Y8 `6 G- F1 ~3 p7 @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 l% ?" }' s! B4 k M: \
+ \( l' ~1 C. }8 dThe program will execute 6 different SIce commands located at ds:dx, which6 q3 l# ^3 L* { @4 H; @& {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 U( w( g, \, f2 ~* ` }9 j k
# H x, t7 B8 {. e9 {! O5 Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 Z& w! j* v0 C$ \. o! F* Z___________________________________________________________________________
5 O! c) m$ o z( F- g6 s/ P; w; X" n) e- o9 o, X) O V. J
; }& o, @: {9 A0 q" TMethod 03& y3 t) \1 E- ^' e/ W' G( Y
=========
0 o0 `- ^4 B& l; w' e% k* M+ v- R9 L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" K7 Z0 g: u- Z5 D! [4 I
(API Get entry point)6 |' i' U8 G. n" @7 Q2 r
" Q6 T, z7 D9 R: n- U
+ ]6 v' A5 P, X) j7 }. |
xor di,di% k! O" F, L) K4 P C
mov es,di
8 y" W* c; Y0 Z+ v6 ]. |: ^" c mov ax, 1684h ) X m0 g* {5 Y) ~. }- T
mov bx, 0202h ; VxD ID of winice w! ^2 e9 N* t' s- D6 Y5 O
int 2Fh' F* {( S, W1 c' ?1 d5 d
mov ax, es ; ES:DI -> VxD API entry point- o9 T1 c4 L8 E# @
add ax, di7 Y: D# c; f$ z% P% w8 \
test ax,ax
5 p$ O O$ W- Y S" T jnz SoftICE_Detected5 j5 U; h$ R6 X9 I
+ m, [# f( r& [$ J% ]% J: N. i
___________________________________________________________________________+ e. B5 N6 ~! X! k
# m$ Z3 E. ~9 z; @) m3 u _Method 04
( `- ?. C7 M0 x5 h/ d=========% T' b, y7 M# p0 v. i0 {9 ^! W
2 e( c% I2 b: R4 m8 S P( GMethod identical to the preceding one except that it seeks the ID of SoftICE
( l( i7 ^1 U0 |4 `2 n4 q yGFX VxD.
' H$ G4 t7 Q3 A+ G* J& C5 K
6 E; d$ j/ i- s4 m1 {2 s& e xor di,di+ L4 B! e; m. T2 v( X( J( i2 y
mov es,di
: O7 t6 O0 w# V7 D; t- H mov ax, 1684h ; O3 D' B! C# h0 y
mov bx, 7a5Fh ; VxD ID of SIWVID9 p4 ^ j+ C$ X6 [" D, Q
int 2fh
" o a0 U% y* }# }. A* j, b, g+ w mov ax, es ; ES:DI -> VxD API entry point
6 ~) u6 o: Q+ H O add ax, di- N4 h" q) t# B# A6 m# {: j- @9 i
test ax,ax( h; O# ~+ x3 b0 y
jnz SoftICE_Detected
1 b4 c! |7 M9 {( I+ i. U0 J
3 ~: Q7 h7 }( J, U__________________________________________________________________________% G+ G# L7 p1 u$ y
4 \5 y5 ~" W+ y, M% L
. q- A! j# v% @: V) }$ I% Y
Method 05+ V5 I, b/ u' ?
=========
$ s+ l! y- o4 Z
( `/ F- `, m) a& s: s' i% FMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 Q) \: _! v( @' b* C# r. wdebugger. It calls the int 41h, function 4Fh.
5 v5 g2 A" g2 eThere are several alternatives. 2 D1 K3 j- u* @# Y* t
( i3 h% M' ]. a' R7 HThe following one is the simplest:
/ e9 {) }) }/ u8 E" ~0 I/ l
! B0 m$ v5 N7 m mov ax,4fh& N1 k) G/ _; @2 J) n
int 41h" p2 N5 M' o* @- ~4 U( p$ S
cmp ax, 0F386
- K! F5 p2 Q M9 [8 i# f( z8 o; ^ jz SoftICE_detected0 k1 Q1 `! Z0 Y
6 v1 \1 F$ L* f- d
# {7 L9 m8 @7 k, i+ I
Next method as well as the following one are 2 examples from Stone's
8 ?7 m' N$ }" C9 {1 A"stn-wid.zip" (www.cracking.net):) l* Y. B1 i4 W: q+ n6 B' H
& N( _! E+ L# O4 S) f7 l! V mov bx, cs
3 |; r8 y5 T4 O8 o5 V. I2 F lea dx, int41handler2
1 V& d; u- S1 D* `* ?* t" j4 y3 p xchg dx, es:[41h*4]
; U3 c2 t. u9 W' k( L xchg bx, es:[41h*4+2]0 `# w, Q2 c! j7 m
mov ax,4fh: W8 H7 a0 z- k, Y+ ^0 v: r$ G7 M
int 41h. @5 L& c. a8 @; C) ^ W; m
xchg dx, es:[41h*4]' y9 W3 C c q- ]2 A% @' c3 c
xchg bx, es:[41h*4+2]
" \1 O- Y; X& r' m4 k7 V cmp ax, 0f386h7 q* M# n) t6 e$ N: G. Y1 a* {
jz SoftICE_detected
) J$ c0 H$ `& V* e7 e0 L
" w- ]' O- E' `- p7 Iint41handler2 PROC
% b# c, {9 [9 F6 A0 g& J/ D" p iret
0 l' e, S6 w. e( G. ~int41handler2 ENDP
& |4 p9 K/ e% ^% i, _. g6 C
. a& x! Z# y% B/ \( Z& D. ^% H7 L! N* c- P9 e8 B- J7 }
_________________________________________________________________________
6 {7 M) V. t4 f& W5 k& E8 E* [+ a; P
$ o: G: b' E9 c. F
Method 06
# K. s8 F; C J=========
) W* w! G& Q* F- }; E; |7 B6 i* `0 C7 m, [% ?) p( W) J E% y
! y* u- G0 d" X" L" m! Y
2nd method similar to the preceding one but more difficult to detect:( G7 x5 Q' L* x* e) H, }* [
' `& N2 a! \+ D) t# [* s
' _$ a6 c, ^3 J' J
int41handler PROC
6 @9 {. ]1 \' \9 X/ j; D3 a! @ mov cl,al4 E) [ ~2 V( `: f
iret
* N" H' F9 N% ]5 Wint41handler ENDP" ~+ n5 Q; A, j, s# r
) Q% ^) q- W$ E; M! a9 l6 X2 |1 l* g; [& N
xor ax,ax: l$ r9 ]2 a" w' d9 [7 B$ `# s
mov es,ax' J' V" y, f& ^" E9 a, A, E+ k& P
mov bx, cs0 _) U( ^' a4 h- ?6 ^
lea dx, int41handler' K, _. t0 F" X! {( b
xchg dx, es:[41h*4]
d! x/ G5 X+ r6 u xchg bx, es:[41h*4+2] N( J8 M' ~- ~3 D* h! U V
in al, 40h
0 J4 {/ B. t5 _! [' S xor cx,cx
# \8 q# `) ^$ x' O. S0 V2 u* Y6 { int 41h
s3 z& R: @$ h xchg dx, es:[41h*4]
4 F) x; G7 I1 x+ x x2 ^4 V/ t3 F3 C' d xchg bx, es:[41h*4+2]
' P/ g: B- B! W* m1 j cmp cl,al) \& ? X. u, E3 V
jnz SoftICE_detected( T6 t( T! d1 V2 v2 z r( N
$ U' W. l/ m; T. P( T. V t_________________________________________________________________________
2 E$ W% l7 v; G9 o) n' U
) w/ O9 A6 M4 k/ a" Q5 p K5 TMethod 07: y3 ^1 Z- u* j W
=========, W, Z/ V2 F; W3 h- ^. p, z, t& V
t2 ^0 s( c' m" A) GMethod of detection of the WinICE handler in the int68h (V86)
' X* ?- [; }- L, c+ V7 E& X- |1 O; S( a. n! k) z, I
mov ah,43h
7 |4 |7 G8 h T3 ]: a0 p2 [ int 68h( z, c$ O6 f; `( S- T* O3 `$ R
cmp ax,0F386h
7 ?( [/ W. M3 c3 D1 A, ~+ I2 U/ F3 X jz SoftICE_Detected4 X: B& U7 e! A
5 t3 c1 S" U9 d) q' z
. O) h; L1 C/ a I; V
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, b: y. r! G% y8 V& O: b: ?0 Y
app like this:, R! q5 I- N/ b0 U
, ~7 g9 ?) X6 \" d- V5 q4 y BPX exec_int if ax==68- A" {4 o6 I$ M+ B% E
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ v% c* C$ Y3 i6 N" F' H7 Y located at [ebp+48h] for 32Bit apps)
9 C' x1 Z0 t1 p' i' v, n5 T__________________________________________________________________________$ P2 Y, |, ]" c) m- ?
$ _0 w j" j" c. L& U
$ R8 h& _* v8 f' q
Method 08
. B1 I1 Z# ?8 i=========/ G7 Z5 P7 v/ Z$ R1 P
& H$ i! i( I. G; D8 sIt is not a method of detection of SoftICE but a possibility to crash the& X. ~% E" S5 ]. e& O; ?" e, P
system by intercepting int 01h and int 03h and redirecting them to another
1 z1 s, q5 j2 D1 E4 Hroutine.- U G# G# l! J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 s2 K) N0 s7 K. x& h, \) U% s
to the new routine to execute (hangs computer...)/ e+ `' ~; F) `' o
: q( u3 J N; D mov ah, 25h
( m$ {; F/ [, r7 Z4 U mov al, Int_Number (01h or 03h); C* k) u: d8 ?9 E6 b
mov dx, offset New_Int_Routine$ c; o# t( w/ x
int 21h
+ v d/ ^0 } D( S1 k" U+ t4 h
1 {( O/ M) e; x. g" J0 ~__________________________________________________________________________7 Y) M$ p6 c) K# E! E
* B+ I# {, l8 H% M/ Z4 K' x2 e. w2 wMethod 09
; ?' [2 s) k* q7 S0 h% A) f=========2 ?) b/ W% g" q. v4 R2 B& e2 n# G8 r
, O+ I3 l1 u1 d/ \- C. l: ]! y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 b1 j! j, z- h
performed in ring0 (VxD or a ring3 app using the VxdCall).
' _0 _: p1 V% E( C7 ]! XThe Get_DDB service is used to determine whether or not a VxD is installed
4 G2 E1 _2 [+ O: k5 ?/ l% r1 m$ P, Bfor the specified device and returns a Device Description Block (in ecx) for( c# ]6 q3 `4 T& l% ?
that device if it is installed.8 b& _+ x- h4 ?. R7 }' k- J
! y$ A: c0 I( ?6 D4 A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- @: q0 Y/ |* q9 v. U mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" ~$ p: U6 r( |0 M) {- b
VMMCall Get_DDB
; g1 o. s4 U! ?1 j# f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: P$ G; n; B: @/ M, p% J! r* l9 ~
- e- C5 _: B: t# x# @# k* u1 v G
Note as well that you can easily detect this method with SoftICE:
5 H1 U( Z/ I f5 k' S bpx Get_DDB if ax==0202 || ax==7a5fh; f- _& E) u' P) A# ?1 g! \
5 `! n$ _4 L Y# h j' S__________________________________________________________________________
; D5 T* S s" T4 O9 w# n( C9 k# ]4 `* S
Method 10! P% d6 B9 ~$ ~4 }: H; j; r
=========
; U/ a4 [4 m H' ]" q3 n
+ C& o, y( O0 b: N3 r=>Disable or clear breakpoints before using this feature. DO NOT trace with9 c/ i, r8 S0 k8 Q! L5 h
SoftICE while the option is enable!!- a8 w( A: P, [& F2 O# @
3 N/ Z0 U( u7 s* o( iThis trick is very efficient:
' m8 T8 y/ F2 K6 d1 H! uby checking the Debug Registers, you can detect if SoftICE is loaded
' n! W- K* }: J, p; i$ K& y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, J2 w; |; n5 ^, q x" Q: N5 L# @
there are some memory breakpoints set (dr0 to dr3) simply by reading their# ^* M1 ~: p {2 m
value (in ring0 only). Values can be manipulated and or changed as well
! _" a0 r8 C0 E6 L6 M* U2 t(clearing BPMs for instance) X3 Q, D( l% U1 L1 e
" B. K) h+ X3 O; y+ W__________________________________________________________________________
0 `$ n7 R y3 U( I( Q* l! i( O% J" l3 V$ U
Method 11% l4 u" p- S& M- O
=========
0 V6 f; C6 ?2 c( j: m% `+ K0 N( O3 ]( P8 L6 h/ L
This method is most known as 'MeltICE' because it has been freely distributed' n8 ]$ W) q3 b7 d ~* V
via www.winfiles.com. However it was first used by NuMega people to allow
4 G8 {$ H/ Y0 i/ i4 {) H tSymbol Loader to check if SoftICE was active or not (the code is located; y5 g0 N1 y3 q: z
inside nmtrans.dll).* t3 I8 R! f& D) D7 z
( J; d8 g6 z Y7 Q, c( ]/ V
The way it works is very simple:
0 u4 W: {/ H' C4 }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 }1 d# i& j3 j
WinNT) with the CreateFileA API.
! g6 k! K8 \" l
8 d5 z( K$ a/ `0 B/ W, fHere is a sample (checking for 'SICE'):
5 t, r0 W) _7 [9 i/ l4 W0 y. u$ {6 y( h2 N4 U6 w- C) k! }9 ~5 y! M
BOOL IsSoftIce95Loaded()4 `7 f/ i8 j) U; y) \# s: R
{. v2 y e2 }4 O; Z4 |% y; k
HANDLE hFile; 8 w4 @5 G' h; D4 @- c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# I/ R/ A j" J2 h0 w7 Q/ L
FILE_SHARE_READ | FILE_SHARE_WRITE,7 G2 Q ~3 ?1 l @4 K# _' G, P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 q, o/ t# Y; q+ k( ~3 b0 i1 A if( hFile != INVALID_HANDLE_VALUE )0 B" X2 S( ^5 N# _' U, ]# P
{3 Q1 {9 p0 w, ?: @' ]# E4 X% b
CloseHandle(hFile);
. y3 x) ~4 C7 h$ f) M return TRUE;
8 G, T8 r$ a) X N9 y! k }
6 d8 e# `! Y+ ~! y+ W3 @ return FALSE;
1 u W+ n$ W8 o/ {, \}/ S5 `" {% j, q
6 C8 L' |. S8 l; ] {2 R. F3 u3 l, V
Although this trick calls the CreateFileA function, don't even expect to be
, x7 e. m" [+ n9 w! iable to intercept it by installing a IFS hook: it will not work, no way!
( p% @# J: L9 ?, A3 B( vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% ~9 T4 T8 U( Y6 N* @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! j, q$ | T/ ?1 k& J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" y2 O( T# n* Nfield.
2 s5 \/ j8 ^6 C- M* H6 c G1 KIn fact, its purpose is not to load/unload VxDs but only to send a * u! l( k+ \& A- ? d2 S$ v+ b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 x) o, f0 [1 ~/ e3 ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) x* q# n/ ~5 @8 C/ ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 P/ g3 l- X6 L, a8 w
If the VxD is loaded, it will always clear eax and the Carry flag to allow' y7 ?! ?. R" ]
its handle to be opened and then, will be detected.
# l: A5 w1 \/ \) e, FYou can check that simply by hooking Winice.exe control proc entry point
% X& q) F5 V% j, k5 u' X. P( O& vwhile running MeltICE.: R" T) t1 C4 u( d% K$ ^5 P6 F
" w* f/ E- h, ^" j9 o+ @" t7 a9 A# z. \1 r
00401067: push 00402025 ; \\.\SICE/ C+ [7 P% Q( u) i2 p
0040106C: call CreateFileA
8 R/ M* T, e% i6 d 00401071: cmp eax,-001" V4 V& L* w( q7 x
00401074: je 00401091/ P" Z3 i% }) a. k
, F0 Y9 z- h8 |* }) M) y% Y4 ^
: o# }5 ]& {4 _( GThere could be hundreds of BPX you could use to detect this trick.
a% R% k) P7 M# `* H-The most classical one is:
3 Q0 M- O. i( p& C8 M4 l) p z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 H8 u! P2 e3 ~; M3 u
*(esp->4+4)=='NTIC'
+ o0 V3 T6 i9 U5 ]
l( u, P. ]! [; g-The most exotic ones (could be very slooooow :-(
7 \+ e f2 d2 S/ I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " ?& [5 {( W) w
;will break 3 times :-(
' Z1 f2 J4 K* l- F9 f* M! Y9 ]+ A" f& r& |
-or (a bit) faster: & _2 g4 J, y% t3 z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ k2 i( ^1 B- t9 [+ c
- v/ T2 n1 _" l1 A- ?+ W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- L) d. `5 @% m1 U( c4 c5 R ;will break 3 times :-(% g* n: \; m5 A) X! D+ Z t
1 @# E- v& q' e
-Much faster:
& J: u* q- \& [3 n, N& C3 X BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ J0 [! `# {: p, i8 H/ D; @9 m, N# {5 I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 \8 h5 r# r, f+ k4 H) ^
function to do the same job:& m' `5 Q) d5 F$ d \& ?+ n J
5 W. L4 B+ D* W( ^8 i push 00 ; OF_READ2 F" w* Y- z8 e7 [
mov eax,[00656634] ; '\\.\SICE',0
$ a* Z4 o+ ~1 R6 x; Q# O/ b& ~ push eax
1 R% u) I% R6 V7 L1 j9 I( i# @+ U, D call KERNEL32!_lopen" a+ i" f( l6 S+ `% w0 J: f
inc eax
$ B) Z' A# n# B5 H, x8 j jnz 00650589 ; detected
% ~1 ]" I. @! i1 J push 00 ; OF_READ$ L5 q! H# P$ \% }- A
mov eax,[00656638] ; '\\.\SICE'
: K# U P/ I f! p push eax5 @5 L% b% z2 T3 X
call KERNEL32!_lopen3 z8 C Z4 Y6 S0 I C, z! E
inc eax1 r) \7 ?! g2 K( I# _
jz 006505ae ; not detected- V( Q5 ~9 r) s9 d
2 k, V3 r& N/ O* l# X W) B
. v, u; s0 J# Z( M* S1 c__________________________________________________________________________
3 w3 D6 |# e/ T- W$ ]1 g5 T$ s8 l7 B" h: R e7 N
Method 12$ p2 l) @0 ?" a' R0 M3 a0 V3 V
=========# P8 F) |, X# \! y1 @; H
" H v6 Z1 V3 N5 H! p! \9 k0 d+ C) wThis trick is similar to int41h/4fh Debugger installation check (code 05: Q, c B. C9 V
& 06) but very limited because it's only available for Win95/98 (not NT)
% \" h/ `- ]1 {/ D, ]9 T! V; {0 Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' f5 Q/ o ~2 ?4 Y
2 T8 M# K1 T/ P. s: Z* n; t push 0000004fh ; function 4fh
& b" R9 n" Z7 K5 d: o push 002a002ah ; high word specifies which VxD (VWIN32)2 b4 _" n2 t. C7 _6 \
; low word specifies which service
' E2 Y: ?' X v (VWIN32_Int41Dispatch)
" i% N/ s' `) a" M call Kernel32!ORD_001 ; VxdCall' ]9 c+ ?1 \ G) M! c" t+ w
cmp ax, 0f386h ; magic number returned by system debuggers
( u; s9 R* B& |( t2 ^+ C( H1 T jz SoftICE_detected
/ X; t' `1 h- |* R- a# R% h/ J S$ L$ M7 K
Here again, several ways to detect it:6 b1 ?# x/ [! @6 A6 G( R0 A/ ]( u
* S% O6 u0 K+ V8 l1 T% @ BPINT 41 if ax==4f
% C I$ u9 c0 Q! W" Q* {6 ^' y! X3 q: d9 i& j7 l& L: G+ W+ a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" L) i. Y7 d1 H2 I) a% G. B) g
5 n+ ?4 X" W9 e( V( H. t BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. u& a1 g0 T6 s7 r
3 }$ j) J6 s0 f3 [6 l m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 z0 N: c% U$ r+ C# K
( D* x7 E( h9 E
__________________________________________________________________________; S& `1 m- M M
3 }+ P/ @& Z! {& d( y) ]
Method 136 @/ Q% d6 m5 h8 |- g8 c4 d2 V
=========, t5 h" m; E* B; r
D$ D) G/ j2 KNot a real method of detection, but a good way to know if SoftICE is9 [* m- K0 Z g- T
installed on a computer and to locate its installation directory.
- ]) G4 c1 y* N" BIt is used by few softs which access the following registry keys (usually #2) :! d: L& B: J- M# C& }7 O! ^
1 E/ }# F0 w8 c7 Z3 y; q$ |1 x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* H& K# X) [" b( V
\Uninstall\SoftICE
/ ~- k' ]- |3 J! }# n8 g" b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' l; s- n0 E5 b5 e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& v4 B4 m6 a9 p; b\App Paths\Loader32.Exe0 j) r: z% }$ Q1 l( k, o
0 b* V) A; L- b/ h
R, d" R# p) k* V' UNote that some nasty apps could then erase all files from SoftICE directory, i4 S, P p, J6 N
(I faced that once :-(
. Y) |, P" {! C) x
0 r$ I4 o: x' J" o" w8 WUseful breakpoint to detect it:$ x- O# D4 C, Z) D1 C. w* P3 L! v
( C1 X! { w- b9 [9 |7 h! b! B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( @$ @" N8 u/ R1 n3 O$ w
0 O# j( R: X5 d2 M& M$ H__________________________________________________________________________% N$ k( y! e6 f* A2 n* J2 s5 T
: t( q& w- s/ W$ Z m
% }0 ~3 Q5 v1 G% g% e3 ^
Method 14 ( z4 {" R" S! X/ c! S" I' Z* M
=========
- k4 a6 X3 @( A, |0 b' a# A' V+ j" y0 F" h Q$ ?/ h. o- ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ M, T" [$ T$ K+ ]' v% n: K% @
is to determines whether a debugger is running on your system (ring0 only).; K# @ n1 R7 C i6 r
A0 Q7 o& Z% D# A7 M! i VMMCall Test_Debug_Installed
! e+ M6 @! |% |$ ]& B k je not_installed
& D- k: [0 s5 R+ D( J9 e* g6 R: D4 N. C& `* U
This service just checks a flag.
1 ~7 A/ r! `5 f</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡