<TABLE width=500>/ f: e8 o5 ?" r; F1 `
<TBODY>
$ a- e+ n& y5 @3 q1 R/ }<TR>7 ?+ P' H' u& U9 Q" V: c+ {: S9 O; }
<TD><PRE>Method 01 0 v: I6 |; Z- }, S' i
=========8 _3 l2 K# x" u/ y
& e; y5 e+ w \This method of detection of SoftICE (as well as the following one) is8 }9 N3 z$ N, k1 o8 V
used by the majority of packers/encryptors found on Internet.
8 h7 q: }9 a( g' m* K0 j5 TIt seeks the signature of BoundsChecker in SoftICE
" l+ y% |+ z I' Q+ p% e: B k8 D1 T7 ]: j$ K" A; O
mov ebp, 04243484Bh ; 'BCHK'
g8 w7 H! ~ ~ mov ax, 04h7 _$ V( t7 D4 U
int 3 7 r5 Q) f0 S* K: r
cmp al,4
0 t5 w$ }8 L9 c8 ^7 W2 R* W jnz SoftICE_Detected
}- b G/ w' E8 v N% w. M7 y, E8 J2 e) W3 \
___________________________________________________________________________: z5 q2 R0 W5 o# O
" q+ ~1 k6 \+ p1 pMethod 02
7 ]5 Y' P& Y2 a) Z; d=========. n- t5 J8 w* }2 |2 x
Q# ? r2 W) V/ J/ MStill a method very much used (perhaps the most frequent one). It is used
' y R$ c' R6 x0 X3 C* Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* x2 D& S N% e1 _# ~or execute SoftICE commands...! U4 |) E; P) B, n9 P- W0 D4 P) h
It is also used to crash SoftICE and to force it to execute any commands# M0 \: U: n( t. w- ]" F
(HBOOT...) :-((
% u7 n0 O% R& B/ U+ _( _
1 m$ G& D$ P0 R0 G9 B' WHere is a quick description:5 Z# R$ c0 k( R/ z" x' x; ?
-AX = 0910h (Display string in SIce windows)7 j! }1 g7 O, p6 j) O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, O4 K" F! m' h-AX = 0912h (Get breakpoint infos)! P; I* n6 [& s
-AX = 0913h (Set Sice breakpoints)
$ [2 [; r. T1 N7 |% }* p-AX = 0914h (Remove SIce breakoints)7 g/ P1 E# t7 E0 h
& ^; v% o: v7 e' _" y. W: rEach time you'll meet this trick, you'll see:7 V+ s& @* M! ~
-SI = 4647h
/ n) _# M+ ~) m: O; x-DI = 4A4Dh
2 d' O; y" D% @3 mWhich are the 'magic values' used by SoftIce.$ p! l+ C! J! q$ X4 p* j7 z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" J7 G, V; S& j. ?3 G6 N" p9 }3 w/ n3 s$ l
Here is one example from the file "Haspinst.exe" which is the dongle HASP
J" }- h d3 P2 b* b' R. dEnvelope utility use to protect DOS applications:6 n g, S6 s5 i5 z6 _' N* Y1 {
1 r% R& b: o/ ?5 O% X9 I2 d
, D5 K. I& ]9 ]6 D* b! p, b, }' L4C19:0095 MOV AX,0911 ; execute command.' I! D$ M: K# u* e [' \- c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" |! F i5 z2 x8 x$ a4C19:009A MOV SI,4647 ; 1st magic value.: t. w$ P2 v/ Z3 E+ A1 x
4C19:009D MOV DI,4A4D ; 2nd magic value.
& Q( s9 b8 z3 t; \4 G' L |( u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ n: F$ ^; c# y u# M" L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" ^* g& }# L$ E0 q7 u4C19:00A4 INC CX0 E m' Q F( v' Q" {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" l* n5 t9 z# K, [0 D4 C# S8 C4C19:00A8 JB 0095 ; 6 different commands.
) b( Y N% _3 W4C19:00AA JMP 0002 ; Bad_Guy jmp back.% ?/ X+ v5 j6 `6 c% T
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ y5 z" N) F1 Z2 d1 ]: I/ B. N5 o6 R
The program will execute 6 different SIce commands located at ds:dx, which0 ]3 W; q, C8 i5 v j1 T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& u1 @. q) L6 ]3 q( L! M1 q
h4 S1 l! ~* ]; o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ i) Y* N( j: Z2 c, D0 s W* M/ m
___________________________________________________________________________
9 E" m( _/ v2 n2 W% m" L' M9 H% x+ [0 y; n& h
5 H5 ]9 r' S1 i# v; ^Method 03
. H6 I+ Q2 f, S: Y7 ~5 U3 \% o=========
7 q/ Y5 ?# o" |1 L( m A$ o5 [' p- m4 @3 p. r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& I9 z0 i' {' T9 A(API Get entry point)0 E1 X+ r" E$ x( J1 X& k3 D
, y% m, Y/ }5 p! Z* s% U' G3 o2 e& y/ X; s8 W+ k3 x! p. h
xor di,di7 u5 E5 b; f5 V& u3 V
mov es,di& ?0 Y; N7 m1 I7 f# n
mov ax, 1684h
- r: n# D0 }0 U/ @5 L4 U mov bx, 0202h ; VxD ID of winice
- n4 ?2 | b) a# v int 2Fh4 u0 Q _ e/ \9 y
mov ax, es ; ES:DI -> VxD API entry point
3 d, m& I$ y5 U add ax, di' a& X$ v( P* I! l
test ax,ax
& g9 [( Q0 k/ R& p$ o7 v, |1 U4 q jnz SoftICE_Detected6 L0 [- j9 i& |! C0 S6 w! P- _5 e
6 v, f6 y: O6 T9 {, X___________________________________________________________________________2 i% \3 Y$ s. Z
$ P" q ?$ p% M5 v) K1 ]' o
Method 04
$ n {' |: _7 l- \=========, k. G' [4 V0 V0 d. z! ?
; b+ L' s/ l7 N6 [" N/ H/ g
Method identical to the preceding one except that it seeks the ID of SoftICE% t& j+ [! |! g4 e- z
GFX VxD.
6 G; n: Q- @! ~5 v. n. ^
* e* R2 U9 F" x; h' _2 O* d xor di,di! Z: c6 I9 w7 b- O
mov es,di
; g6 F& i. D d mov ax, 1684h
) s9 k4 ]) q* e4 m Q3 k" }: R mov bx, 7a5Fh ; VxD ID of SIWVID
1 S+ P- Q8 n; B/ s1 r+ F% O int 2fh
. C; C% ]7 V: e8 z D* b% J' A- P mov ax, es ; ES:DI -> VxD API entry point
4 C8 c' A* N0 ]* |0 K add ax, di
0 c) G* P- j7 f5 h test ax,ax8 h9 z5 |) ]! b; M9 R& H
jnz SoftICE_Detected- q9 X1 }& n( s! W. p: Z2 I
9 V+ T: l0 T" `* d; t: G$ g__________________________________________________________________________. b( N1 \2 S2 Q' g, |) f
6 i9 g3 W' E6 m- o$ k7 b2 N# G& `& {5 H
Method 05
` ^9 O8 d1 r, c& G3 c% t=========5 x. s# @# B- H/ P2 o/ O
5 k$ Y" C) x7 w: S5 W% @' F
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! ]# |+ o4 i% O! [. Gdebugger. It calls the int 41h, function 4Fh.
' _. b1 t ]( O% t/ `4 k* R7 s! wThere are several alternatives.
& _0 |! m4 C" l! q2 N( D( m2 ^- t7 N7 _8 q
The following one is the simplest:
' S" D9 E& J8 B2 }4 `8 m2 S/ Y
n, y8 }. g1 a" u! N/ } mov ax,4fh
0 w9 z+ X5 G/ X i int 41h7 T$ b8 z9 o) P3 R5 F
cmp ax, 0F3866 ^( B, x c5 T) J
jz SoftICE_detected
k4 }% B9 q0 g7 l1 c2 g6 w& i) l4 r- q
- h( I. O: Z9 b8 a: iNext method as well as the following one are 2 examples from Stone's
+ N! K$ \1 o7 \% ^"stn-wid.zip" (www.cracking.net):7 _" n# i' i2 i; s7 \* Q
. M: @2 b' L1 s# D% x, E6 Q mov bx, cs
' r5 k4 m# i9 P8 e9 p# P Y" J lea dx, int41handler2
7 b! L2 [1 B& v( f& j xchg dx, es:[41h*4]
6 T# c( Z; e- y8 ]0 j1 P xchg bx, es:[41h*4+2]% \* U+ D0 J. S* f3 s; k5 I
mov ax,4fh2 i# ^* z$ p8 @. Y: R) Q( Q" M8 ]
int 41h( j0 \6 Z% z! D6 k$ D7 {8 L7 n
xchg dx, es:[41h*4]
) |' L) T) M9 c+ U; f" P xchg bx, es:[41h*4+2]
l/ ]* O; X4 L' ^1 Z; C2 ^ cmp ax, 0f386h& v! y K' ?! J% \1 Z# X- F
jz SoftICE_detected
& a1 ?: C! ~9 F7 a, K/ P' Q$ X$ d- o7 A
int41handler2 PROC# c9 C1 S9 \6 B) }1 `
iret6 k; g: F* v, {7 x6 q4 @4 @
int41handler2 ENDP7 p' m! _3 }# r+ k$ V4 ]2 }
- b, w5 J# c, x( s$ ~& q- j
6 V6 ^" Z. {5 _; H- u9 Y+ |) ` u_________________________________________________________________________
: u3 h, d$ Q5 O& _% B! Q% s% T& v9 U
6 V' Z8 F$ B" e/ tMethod 06: L: Z; u* j0 F5 F+ N" h/ {" u
=========3 R0 g1 @) D+ ?. A/ F* g. L
$ Y& m2 {1 @6 Q3 Z! k" S
7 T2 }3 y5 R- `2nd method similar to the preceding one but more difficult to detect:
6 h2 N/ O7 I% c- I! H( r
- S- n- B: _) o- _, J
: ~) g! ~1 e: `3 S5 x* |1 @4 Iint41handler PROC
3 T1 a3 K# J4 @+ k( F# D mov cl,al
. D6 ~* P0 X( e2 K9 } iret& {" j0 N' w/ ^9 F5 p4 `
int41handler ENDP
3 E1 q# v* f: g8 S: g1 [$ j' x4 O9 K8 X8 X+ c3 q
, V; N8 F9 u0 }
xor ax,ax- A; s5 G9 p: z$ B2 }3 M% }# Z$ Z6 g
mov es,ax( W( c. r0 Y8 K& ]
mov bx, cs
1 D$ r; q7 [) K6 T lea dx, int41handler6 g- [9 S) O, J2 N2 y5 } R
xchg dx, es:[41h*4]) \! U Q1 c& G# y6 p( K
xchg bx, es:[41h*4+2]
+ @( W: V) |& K, ]6 f- V0 u5 | in al, 40h
: ?( Y) M$ }+ T: s* [ v2 a) a; p" n xor cx,cx8 E! N+ U; J, C+ O% }
int 41h0 ~& e. X }" T% T+ R: \
xchg dx, es:[41h*4]
. n; r, i9 N) u# b: [ xchg bx, es:[41h*4+2]4 Z: P {: f0 O+ N/ H
cmp cl,al
( l9 x, Y" m( X* U0 R& t& K" M+ S M. Y jnz SoftICE_detected
0 R( p( q1 r& J6 P4 P3 s% u( f& {0 O5 Y Y+ w. @6 h
_________________________________________________________________________
* W% U( z5 c- }7 v2 o: E. W4 q. i5 I, K
Method 07
+ a$ ~2 K$ U: A, Q7 G( S, ] C=========! F& C5 V( F) E& V
1 F# d: e! a' Q% z/ _" U
Method of detection of the WinICE handler in the int68h (V86)
* a0 A- a3 p- _- ^4 }+ H
U- d" U& R0 N$ \ mov ah,43h4 F% I1 [$ m3 N; P! V7 A! s
int 68h
2 x4 f H) f. B, i1 ^ ~ cmp ax,0F386h
" G+ L9 R6 A0 t8 o0 D# _0 B' U2 c jz SoftICE_Detected" e$ y% R- M) X6 q9 g/ e$ _
: ?/ Y. G0 @% h8 c2 `' T
: U, }1 i8 s! | ~ G% h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! e' F0 C& j* h/ H# x' F3 m app like this:
( d' @4 r# ^- r4 o! X
, _1 [( ^& s. M3 u BPX exec_int if ax==68( K1 k, ?1 T( k4 z+ u3 h: p
(function called is located at byte ptr [ebp+1Dh] and client eip is
: n& X# X+ G' ~9 I6 s$ q located at [ebp+48h] for 32Bit apps)
: C0 h- r @5 D7 d& d__________________________________________________________________________, Z- n9 \. K5 j
" T+ s% v$ X" T
$ ?1 I" h; V2 _2 ]9 h- \
Method 08
# b) b! b/ p F! L# Q( b" @/ T=========
) N. ^9 y6 g2 ^2 H$ b6 ~/ E: A( g# N* S( z
It is not a method of detection of SoftICE but a possibility to crash the
% ~0 q6 Q3 y# M" [( Bsystem by intercepting int 01h and int 03h and redirecting them to another
6 g0 M- _3 ^* A1 P' Xroutine.
4 z" H8 Y7 I7 d$ `7 n5 [/ T8 iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ T* J. [5 G6 R
to the new routine to execute (hangs computer...)
) z8 l& l8 U* q1 S% R" s/ m! s; L. B
* }3 O) Y6 E7 A' K3 s& I" t' G mov ah, 25h, c/ n# T8 R* y, @" v
mov al, Int_Number (01h or 03h)& r3 q8 p8 ?* h4 ^/ ^4 d
mov dx, offset New_Int_Routine
- L6 P+ @+ r7 y+ U8 q5 d% `% g2 ` int 21h j0 W5 e, I7 ]/ }
$ j! E# p9 j, w! O; i__________________________________________________________________________
, k) z- p' n# A9 V8 M
. p' V+ S6 ~& O/ K0 v( U0 `3 MMethod 099 b, e, G1 o( Y; r$ f" e
=========
0 K- d5 U4 K' i- O, `0 H
- S4 K5 x* R% R2 AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' l% w( R% S, g" j4 W" P
performed in ring0 (VxD or a ring3 app using the VxdCall).; W! r y2 r( D d
The Get_DDB service is used to determine whether or not a VxD is installed+ L% a$ e& U% V! i0 P3 K
for the specified device and returns a Device Description Block (in ecx) for
+ Q8 A. z" r( l( g: Q& k U) Mthat device if it is installed.
7 g, U* ]* M4 w0 ^! L" f
' X9 |8 j: n5 O* p$ y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 J8 l) m4 b4 w7 ?8 n1 @" @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! B, ], p1 ~# a8 b9 |: ]' g
VMMCall Get_DDB5 i7 x3 d9 V8 F9 B2 R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 o0 `4 a! ^- ]1 z1 F( p& I- `4 t9 Q) a+ V4 z
Note as well that you can easily detect this method with SoftICE:
1 u' b5 \ I8 P6 r* Z; q bpx Get_DDB if ax==0202 || ax==7a5fh
& ?" I0 @) x, Z* C1 }* k' J1 y8 n) ]' e( s' X- O6 h( ~% v
__________________________________________________________________________
+ c" I/ r9 G; N
9 r1 p& Z* |* L/ J/ iMethod 10$ M' @: Z, C9 |4 B
=========
9 m! |2 d5 E& @: P, C0 p$ A% E5 x0 H, b! m
=>Disable or clear breakpoints before using this feature. DO NOT trace with* T8 O+ n' w3 [- n) [1 z# R
SoftICE while the option is enable!!
9 M7 v1 ?& V& c! n* u
; c5 `: `4 w, N2 x8 Y8 B, fThis trick is very efficient:& m! B( y0 ^1 ~! d1 v6 n
by checking the Debug Registers, you can detect if SoftICE is loaded
2 A2 d" k9 H# B; s+ F9 G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. R6 M5 E( }( n: d% V7 a
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. \% F( W* W! R& y! ?value (in ring0 only). Values can be manipulated and or changed as well
3 y, F/ L. v" _' x(clearing BPMs for instance)* I# n3 ~1 b8 K6 H z
6 I7 D% S0 R7 {) b
__________________________________________________________________________
: h4 |4 s; A0 W% j2 ~- d+ m2 ?( F; W
Method 11
- j* u' l/ T6 s. h=========
+ r9 S4 \# R6 u* h4 G/ t" ^& r$ a0 p3 S P# b+ t; _' e* a
This method is most known as 'MeltICE' because it has been freely distributed) Z2 g S: P# C4 i4 _
via www.winfiles.com. However it was first used by NuMega people to allow
* p4 F8 ~+ a' v, d7 eSymbol Loader to check if SoftICE was active or not (the code is located
+ L6 _+ O- @) J7 Y2 o! R2 Sinside nmtrans.dll).
* |( i7 @* M( ]& u7 k: e; N; `0 _" F9 d
The way it works is very simple:4 L7 d# E, o# u. n4 |7 |: e N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 ^2 k- [% s8 O8 K V; R( {& z
WinNT) with the CreateFileA API.
7 p |) Z# i" {. u' |- s* y& y
: m2 M# @; k5 `8 J4 kHere is a sample (checking for 'SICE'):
$ B; `+ Y3 t4 W; I) a. i; R0 D& V5 A7 Z; X* C; k; m. l. w* ~& I
BOOL IsSoftIce95Loaded()) \2 ?9 H0 Q9 g: ^8 |- H' w
{' h: \! |- t+ m: F% R; O4 _" C
HANDLE hFile; ( R9 e1 }2 B! y5 j6 A0 ?9 O
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 @' E! D3 D7 V2 n' {: F% l1 O
FILE_SHARE_READ | FILE_SHARE_WRITE,* J( q" B8 r9 {) |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); G; }, I# J3 J/ K
if( hFile != INVALID_HANDLE_VALUE )
4 g1 `0 B& j; f& g* R: F2 t6 n {# I# F1 A+ `, _) \" M* c& {, y
CloseHandle(hFile);
3 C% H# d3 p( m return TRUE;4 Y( r9 Q. Z2 S) W3 r$ c6 l L* q3 c
}1 [4 `3 i3 d+ F
return FALSE;
1 f% v z" h1 G3 z; V1 _2 ^}9 }3 b* n( x% c; y, T
' d1 h6 t7 f9 H4 I7 ]% AAlthough this trick calls the CreateFileA function, don't even expect to be2 a) h0 f, A9 s6 i6 ]+ H: h( _
able to intercept it by installing a IFS hook: it will not work, no way!/ W5 m8 O5 k6 V2 }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 ? y6 i! j* |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) V% @- V2 o; v( P' z1 w0 [
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) G: Y8 [% Q" U, P/ T2 o
field.2 y6 d! C" D- l( U' [
In fact, its purpose is not to load/unload VxDs but only to send a
9 T' e% s! z5 d! }& X& NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) p2 w) u: }) |* L7 Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try& \4 a3 E: l1 @; u L
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! F0 }" L `3 M. C! m6 u' ]/ D$ g2 F
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( V/ h+ U) [4 ?! y3 Tits handle to be opened and then, will be detected.
3 U. q- I0 k4 H+ s+ _$ ?: CYou can check that simply by hooking Winice.exe control proc entry point
! g2 r, j% R" @9 m; g5 Y6 Y; m+ ]while running MeltICE.: J% c7 K9 F3 s( c, ]* _8 p
9 M8 N/ b3 l& v( u, ~ D3 \1 N" _% i E" _
00401067: push 00402025 ; \\.\SICE
4 W6 a' {' e: ?) d 0040106C: call CreateFileA8 [$ S2 A0 y1 K6 @& T
00401071: cmp eax,-001
- g' A' m- J/ n: @6 A* a; h* @2 B 00401074: je 00401091! I4 ^( q* ^, E0 v' r
0 }7 n0 j; `" [$ x
% p) | C5 Y" x- D m5 [, ^There could be hundreds of BPX you could use to detect this trick.
! j r: V6 w1 O0 x9 a-The most classical one is:3 E$ |( I* M+ O& [4 Z) {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' I2 h4 N( K* J! p5 l
*(esp->4+4)=='NTIC'
" Y Y& l# Z7 [& C/ j+ T
2 _0 g a' K7 D0 U-The most exotic ones (could be very slooooow :-(
5 i) x2 s& I; V9 e7 n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : n5 G9 A, |8 K" V6 Y
;will break 3 times :-(
& K j& B/ |) Y" l& T! e+ D5 }, W6 [: H2 U7 U# R) [
-or (a bit) faster:
& B r* `7 s0 G4 K% E, i; s BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 j0 |/ R$ k3 T3 S D% u' [/ Q' Q: s# V m2 v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* A( L; [6 G3 s3 K ;will break 3 times :-(
0 c6 F* n6 T) k( k9 P5 `/ y- h- B! L
- k) N3 ^( ?+ v; n9 x+ }-Much faster:
% ]7 s3 `+ u1 P# v& @" Z7 W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': w2 v6 H" Q% b
. @( L8 _" r( S% g' m! K3 Y" GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) ~" N H6 }0 K8 j! Tfunction to do the same job:( G/ W, R/ n& u2 _# e4 C
0 Z. s; D" k7 t+ E# v1 c S3 D6 z, G
push 00 ; OF_READ5 ~' I, [4 C/ z' m! `
mov eax,[00656634] ; '\\.\SICE',07 m8 v6 F& o! \8 N
push eax) F" f9 ?% ~( c1 m3 Y2 Q3 @
call KERNEL32!_lopen q# @; X" P' @5 z" A* S3 x1 n
inc eax$ N4 Q( l& b, H! G/ ~/ @
jnz 00650589 ; detected
6 W7 F5 S" Y% m6 E( Q8 Y push 00 ; OF_READ, S- v: L- y2 v# _7 M4 ^8 R1 [
mov eax,[00656638] ; '\\.\SICE'
* T" q2 d8 c+ q) `! w push eax* t, y% q3 l9 v) n c
call KERNEL32!_lopen: K- h7 x9 y: q8 f
inc eax# w( X4 v: [; S& d! `5 Q& l
jz 006505ae ; not detected
- a) i1 d) \+ |4 R0 }
4 b1 a; B0 M% Z0 q) W5 b9 m: P F
3 W+ ?- s* F/ s# D* \& |2 s__________________________________________________________________________
d# ] P4 e* ^ m, U( e) |/ j5 H: d. f* H% j
Method 12
Y9 o+ {! Z8 x& ~; E=========7 L4 U h- Z' O/ R* ]
# E/ I1 e2 t' m* U
This trick is similar to int41h/4fh Debugger installation check (code 05
' ], j, H- w Y7 Z& 06) but very limited because it's only available for Win95/98 (not NT)' O5 {9 \4 u2 x# p3 C
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." @+ f, L8 S1 u! [6 ?, w. l. [; |( h
" l% V Y" \3 Q$ L/ b push 0000004fh ; function 4fh
7 D! m4 _9 Y( B+ F, y" _3 a push 002a002ah ; high word specifies which VxD (VWIN32)4 j9 x8 U" {; f5 I+ d4 n
; low word specifies which service4 N2 F% B( I9 n
(VWIN32_Int41Dispatch)- K0 t4 ?+ ?$ j+ L8 b% L# v" C8 o
call Kernel32!ORD_001 ; VxdCall( q8 o( x, C/ h5 [- J7 s
cmp ax, 0f386h ; magic number returned by system debuggers
' Q1 e9 R, m' p$ ]$ l5 t jz SoftICE_detected
9 t# X! m3 D- p2 b% P# ?, c4 H6 {, R
Here again, several ways to detect it:
- e9 f0 x. {3 b. d
V! B/ t& _# Z& g BPINT 41 if ax==4f
/ T7 R- @: M( A9 z) c! M, T. s: }; b6 u2 R2 [5 h2 F* N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- L" A% s" i8 O4 G
2 b+ E0 f( X: S2 u; Z# H( j$ X% l( d" T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) y5 L' k/ Y. o5 d/ S; w4 B
, L& r5 p/ g+ l; ]! |5 J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" g! P* X, u9 [1 K# l
* k$ w* r' g$ h* R
__________________________________________________________________________
, m% F: d9 S$ b: `9 z& I y) M# l4 q. N
Method 13
5 |: {2 j" E2 f5 P% n- G2 S6 Z========= A( e4 o" e& S! }& ?
% @7 Z2 ?1 {6 r: n( _" H& L: L- ZNot a real method of detection, but a good way to know if SoftICE is
# |- G' \$ [5 d1 hinstalled on a computer and to locate its installation directory.
0 P, h, C) E7 r5 GIt is used by few softs which access the following registry keys (usually #2) :
- H O4 v" M9 O- z1 n4 X8 D$ r8 B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- i1 g4 i0 g9 N
\Uninstall\SoftICE
. z% S3 \/ `0 K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ @8 L0 [. C# v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 q7 Y- C* z5 U% Q( w
\App Paths\Loader32.Exe
/ D% M! R' D& w- G* _- F& m+ s# T/ s7 H3 G( B, }9 Z
8 e. L4 C/ D- \
Note that some nasty apps could then erase all files from SoftICE directory
, H# b! ~! S: o9 f! Y(I faced that once :-(
) T! P6 I+ d# V% R$ T7 r. t+ y9 h a2 q
Useful breakpoint to detect it:: S5 M5 ^, B$ G& r5 D
" _5 C% a3 W7 ?/ m/ I, n1 G6 x/ ^ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': P; `& B' ?/ F9 I& b, {: }9 f
! {" Y2 W( P# X, G7 t
__________________________________________________________________________( {$ |: t! I: L) j# V) z {; J% y
, M4 D. l& c& `9 x7 I/ i6 h: x: y! M- k# A0 r* K, K
Method 14
" |9 S8 ^. B1 }+ D( T/ z4 f# ^=========
* l% C+ O% J* w. W$ [8 s3 p2 J1 t% }& v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; y4 S6 t1 {$ E& j* x
is to determines whether a debugger is running on your system (ring0 only).
: ], Y& [7 ]7 w1 h
T3 }) ^$ C- |& E5 t+ H VMMCall Test_Debug_Installed2 Z8 i5 c& v" B& G, Y
je not_installed# z F6 l* \" T; P; M( L, ]( h& _* \
$ A# p- W# Y9 C$ ~This service just checks a flag.
( C; `# t( [( D( G& ]</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡