<TABLE width=500>
C+ v" q. y7 h* l3 @<TBODY>
6 f) S4 y2 c l- \0 ]; Q9 {6 g! O: B<TR>- S" B9 J# h" V/ H, A4 k
<TD><PRE>Method 01
9 J9 B; t0 V p x=========& _: }. p; ~! U' \6 u
/ T7 ?4 _ v4 p, r& P: r& I8 m% n9 z& vThis method of detection of SoftICE (as well as the following one) is. J0 M- I0 p7 Q# j; f; i6 U
used by the majority of packers/encryptors found on Internet.
5 Z! z3 t" R3 ? `* I* pIt seeks the signature of BoundsChecker in SoftICE
# ?. R0 s+ O+ b+ h$ m% x) ^4 y
mov ebp, 04243484Bh ; 'BCHK'# h- N4 f. |9 P u
mov ax, 04h1 {* X. f; {% i# i9 a
int 3
/ @( q& ]; i3 ^9 S' {( |; v cmp al,4
, C8 x1 k) N* |6 v" w3 p0 \& c jnz SoftICE_Detected
4 m' r {/ z& a$ H' a* Z2 N7 ] L3 v7 w. F5 u
___________________________________________________________________________1 A: i, x# Z8 G( L: a
) \5 l6 ?. v6 pMethod 02# N* S3 y% I2 W; u$ D' @, S
=========
% J/ o. @# D" _# q1 h6 c" M+ U0 B% y2 `
Still a method very much used (perhaps the most frequent one). It is used9 H1 u* d: S) q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 u- U7 u9 c9 y9 h" C) ^
or execute SoftICE commands...) K( |1 M+ g* r! D& ?$ b7 H, F3 P/ J
It is also used to crash SoftICE and to force it to execute any commands/ j; R6 Y% u- ]$ H# y
(HBOOT...) :-((
6 S1 C6 Z4 T9 b1 ]7 c; g5 q8 Y6 s
( s9 r2 V4 M) r2 g9 ^6 J4 gHere is a quick description:& V3 R; r# H( E/ I
-AX = 0910h (Display string in SIce windows)# A0 _. X: C/ W
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% [1 ]& r: I1 K9 X1 v: |-AX = 0912h (Get breakpoint infos)" s4 ~0 I+ e4 \1 E
-AX = 0913h (Set Sice breakpoints)1 X2 S3 f# c% Q! N" F/ {8 h$ n
-AX = 0914h (Remove SIce breakoints)
* C6 N- x: }4 v$ Q. S
0 B7 H. k2 B( W- TEach time you'll meet this trick, you'll see:- P- ^7 t o' b" Q. j' `
-SI = 4647h. U8 |2 I1 e, t
-DI = 4A4Dh. g Z) p, r6 p$ p: z
Which are the 'magic values' used by SoftIce., B" i3 A) d0 C1 H% B! f O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) B" |/ D4 U! h
, P' }( U+ a/ o9 M% {3 X$ OHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 h# J' f; ]+ Z3 HEnvelope utility use to protect DOS applications:; @; R4 F) Z: C" l! B& l: [
4 r" H1 q$ g A( _# s1 P& `4 e+ p
/ U9 B, E3 e3 M3 O4C19:0095 MOV AX,0911 ; execute command.
! Z* g5 |4 U6 Q: S# \( i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ f4 o& d6 M" H1 o" G7 ~9 o& {( ~% Q4C19:009A MOV SI,4647 ; 1st magic value.( T+ r+ M% }4 p9 u# G
4C19:009D MOV DI,4A4D ; 2nd magic value.9 b6 l& t* p0 j! J8 U& }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 R2 j3 @# U7 ~3 X; {; |) W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) X$ N: F8 ^' H" ~3 G4C19:00A4 INC CX
* ]( y k4 ]( K4 k2 S4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) ` Y* D5 q7 Q% M& a/ e% T4C19:00A8 JB 0095 ; 6 different commands.$ q& j* ?' Q& p5 G( ]4 w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 G; U, ~+ @2 u8 R' A3 d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. @8 G# Y! y0 f* x8 Z3 H9 y
" w, a b) v; L3 a- aThe program will execute 6 different SIce commands located at ds:dx, which* \8 {) Q9 t4 j/ G; J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! v( X4 c6 M* z; D
7 b' R& {( m6 ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 R4 g( ~4 F2 v0 ?. h% t' u+ _1 r___________________________________________________________________________
2 w, V N; d( E' C3 D% u
/ R2 t$ i! t y/ f, h+ c0 _2 P# u! a( J4 C# Z
Method 03+ h" c' d7 C" f# w% H( ~0 h
=========
8 l, s& H8 X, X$ x" R; c$ t4 q6 n& G) P& t( I E7 c% V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 [% W+ R3 i8 V9 ^2 M9 N/ X(API Get entry point); P5 L4 [! x- _
( I; A( d9 I0 v, H8 L) {2 y
! U3 m. [- u3 W& e xor di,di0 h+ F# \' }, e9 @
mov es,di
6 V* a1 q: V+ N2 ~% a8 l* J0 [ mov ax, 1684h
( R* k6 i' C0 l5 f8 a$ m+ V mov bx, 0202h ; VxD ID of winice2 D8 t1 R4 U3 Q: X. {; I
int 2Fh2 f( k% x T3 z" K4 J, N7 V
mov ax, es ; ES:DI -> VxD API entry point
% w/ Y1 K. r6 O6 K: D/ m add ax, di
8 T3 r, A$ ?6 S4 w test ax,ax# g2 w, w* x% [, w
jnz SoftICE_Detected, f6 C0 f3 z* |7 J4 U- \, t4 `
2 i& Y2 i; o' q4 R5 U___________________________________________________________________________- {% f8 \0 r9 A% u' a+ r
4 B) v4 A: P! O, a2 |. EMethod 04/ L5 p! K/ F* \6 ]' Y
=========! E' W$ n7 \( w; _
9 D1 a/ I. v# l7 q: C
Method identical to the preceding one except that it seeks the ID of SoftICE
7 ~0 U7 p6 s4 \* {/ P, aGFX VxD.
7 C* ]* i" _" w$ K/ c# ] x( [ l( A5 Z, x, c( ?, ]+ m- o
xor di,di
" R/ y/ z5 [% R4 Q& ^0 { mov es,di" K; h) q" w) s( F
mov ax, 1684h $ o4 O+ u# ]4 `6 ]/ O
mov bx, 7a5Fh ; VxD ID of SIWVID# x; l2 K9 a% P! s- E
int 2fh, I# r0 `8 W# G7 @
mov ax, es ; ES:DI -> VxD API entry point
; R6 c* u0 I0 g" G$ C) T) t' } add ax, di
' q) w n' x, N& ~ test ax,ax
! P! _9 \6 W: F! {) T+ V jnz SoftICE_Detected9 A, s. X3 a, r0 N
! y6 Y5 |- U' h: a i& o) u# C3 O__________________________________________________________________________) r2 G' k/ h. x% d
5 t N8 |* _$ m+ W* B% h0 y/ ^9 L6 ?& Y" ^& { i
Method 05
+ g, \$ Z- O# Q% m: v) K=========
k" f/ ] s$ [8 A7 |' Q1 K3 o& m( o. F7 o1 Q4 @3 Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 `* O/ W4 @" O! G, j# @9 P
debugger. It calls the int 41h, function 4Fh.
. W) y% c, t3 c0 yThere are several alternatives. 0 ?- N* d" R, l* d, a5 P
9 ~: _, Q N; y$ J7 nThe following one is the simplest:. _/ A" t; J( S8 @* I- C
+ @( F3 f9 _, _- [ mov ax,4fh+ k6 Y; H& J* D
int 41h
5 m' Q# d6 E) N: l b) h cmp ax, 0F3863 a [- K0 b' F' }2 T
jz SoftICE_detected& C: ~. i- [+ X* `
) R7 ~3 g2 G# I
6 C& h& x) j/ m( v$ h4 _' U
Next method as well as the following one are 2 examples from Stone's
8 c- ^+ M; Y' _+ |. z5 T: e"stn-wid.zip" (www.cracking.net):6 Y P% q: t' s3 i5 {8 v
Z) L4 u' C( {6 h# L: d
mov bx, cs$ t2 b, k) B/ v4 ^
lea dx, int41handler2' `' E1 \, m6 ]* E8 Z6 f
xchg dx, es:[41h*4]) z, T3 Z$ J2 y5 I4 Z
xchg bx, es:[41h*4+2]! D( U& q: z7 G1 O; |) S
mov ax,4fh; ]# h! M% D- X, k5 \* [% A
int 41h
+ I1 g4 |4 S8 Z1 c xchg dx, es:[41h*4]1 r4 z' M+ u& E$ g* `
xchg bx, es:[41h*4+2]9 O! y/ |5 ^& F5 G
cmp ax, 0f386h2 X1 a% v% m! T o
jz SoftICE_detected. ?9 j; x1 ~; @8 L5 R4 b
8 \% C4 g( x9 a. R3 J+ u) o) f
int41handler2 PROC, Z& N4 c6 M/ g- u' m
iret
+ O$ a- x6 ]( a; M z/ W$ D! Vint41handler2 ENDP
* r( _) k4 h$ d6 N
3 F# H2 U! n% m9 y( S; Y( N1 @1 F; R4 l/ Q9 Y! s% ?' X+ a: E2 e0 w
_________________________________________________________________________
! U& y5 E4 E6 P0 B& Z, x0 e4 Q0 E8 i1 ]' {, V/ }) B+ ?
- l& }2 a: e: |9 SMethod 06
/ u+ h6 E: q" k; z" U: r% x! X$ o=========1 O) Q" k: D- j% x
$ @/ `- j; J) a- b' j
7 t( Z' H' d1 e. D2nd method similar to the preceding one but more difficult to detect:
/ ]' N$ c/ P5 L, U' L: K r3 V2 A( Q, Q+ u7 V; H; P' n
- M5 H3 G$ ^1 a- N! ]int41handler PROC' r9 V; @0 m' n* ^' y
mov cl,al3 {3 r; X8 U) S% n
iret
: b/ }$ Y+ q3 ]$ A$ sint41handler ENDP
6 Y7 ~1 x6 `. o# k! L
7 _) X. O% X: b* [) U9 L! c+ T# F- d. b. A
xor ax,ax3 l8 [+ N A1 c' b& ]5 v N$ J
mov es,ax; f9 ~' v; ]$ o0 z0 m, G Q& m5 |
mov bx, cs8 ?+ c: Y5 E8 i! [0 g. b& E$ e
lea dx, int41handler5 Q# c! ?7 `3 J, j+ A1 n2 M! [
xchg dx, es:[41h*4]' H# x0 s4 f3 q$ S; X4 L; e' r
xchg bx, es:[41h*4+2]
0 S" P! H5 f0 ~' B* ^$ H4 k2 L in al, 40h% l, _# T* r/ E9 q
xor cx,cx
* T3 q! T1 F- }3 J int 41h
# Y+ T ^2 `- i2 u5 n. i xchg dx, es:[41h*4]/ _* w9 W" F3 R' T; u9 p
xchg bx, es:[41h*4+2]
7 U4 q; ?; o J+ v( j cmp cl,al) _( m$ s5 k# u# b( n
jnz SoftICE_detected
0 a# d! D0 {, S! I6 A6 S, C$ e! @/ S' U( {, a6 p G# }3 }
_________________________________________________________________________
/ D. ^2 _) B) X0 T+ Y% H: c
4 q# m# V0 A! Q" k g- n1 |! W# sMethod 07
* e% L% ?2 ^8 M: r$ I9 k! P% g=========3 |6 `& u+ \. Y8 t/ \# @4 P
8 G w. @$ Q# e) {( ?# r8 \: GMethod of detection of the WinICE handler in the int68h (V86)
; J3 Y' ^' f% O9 p
: B5 w* U4 Y( `9 w) b5 [ mov ah,43h& @# ?8 y3 [; h0 R2 N @
int 68h4 E' I& l; z# i5 }( a/ t
cmp ax,0F386h
3 f0 H( \$ s+ D: Q6 J3 K1 A jz SoftICE_Detected
7 e: ^% \- U% F4 h" r
. z n' [- ]0 S) G! K, C' l0 A
5 W9 X6 O2 y2 \( R P5 x. N# m; n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ {; ~( K( j# K7 x0 R0 a app like this:
# h: h' E' K: n5 I* q. A; [
4 ?- } D+ L$ q. G3 Z( L- N- a+ I+ Z BPX exec_int if ax==684 J) V* G8 t g% x9 f+ m
(function called is located at byte ptr [ebp+1Dh] and client eip is, M. @2 e( A( P+ @' q& {/ Z
located at [ebp+48h] for 32Bit apps)! U: W$ `$ S- V+ @' |; t3 U0 j
__________________________________________________________________________ o8 Y& @. L* ^/ m
6 M* e/ Q( `3 r$ |& f
) N& Y" R ]3 X5 t2 W {Method 08+ E' x+ y+ y* I0 G
=========
9 y9 O' f# H# c+ n% \5 n5 v
& P, t6 [0 r6 I3 H9 ?3 tIt is not a method of detection of SoftICE but a possibility to crash the- w6 S1 O) c% G) M
system by intercepting int 01h and int 03h and redirecting them to another
4 m4 W3 f4 p% u0 M; r7 o& B5 Broutine.) S% b6 v' D/ \, u& P1 h: k( n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 |7 H" s1 V" M1 r
to the new routine to execute (hangs computer...)/ O! P9 g3 |7 z3 v" Y7 @0 f+ o" z
# G% `' X; _; u2 j mov ah, 25h+ ^" ]# ^ L( q0 @/ X4 k+ @
mov al, Int_Number (01h or 03h)
5 t, Z1 `# X! i mov dx, offset New_Int_Routine5 p! |: R$ ], {: K& r! k9 y
int 21h A' Z: |* p( Y" N) ~; {
* Q0 d6 Q/ E/ _( V0 S! ?
__________________________________________________________________________
( G; b* V8 z# S O3 o# {7 W0 P+ L; E8 ^* _8 q
Method 099 D* M- s2 J1 M u: _3 v8 i
=========
+ ]+ w. C$ I2 Z* w4 O& ~$ N2 D$ P) r( }$ a0 ]/ f" {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" A# {3 V% @- z. Aperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 e; I3 ?: s$ }) `6 I! x) GThe Get_DDB service is used to determine whether or not a VxD is installed4 V5 X, F& p- l/ L6 h
for the specified device and returns a Device Description Block (in ecx) for: e2 X+ v# f6 c+ ]) t' L$ ~
that device if it is installed.
0 i. a/ k; f% W$ F; l: w0 s% f6 m- R& A/ A1 p5 R4 M g" y8 b ` C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% ^8 L# B" b$ f2 d6 r
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! c9 ~" i% T+ U3 s$ e1 {/ x1 T VMMCall Get_DDB0 I: v5 x) L/ R7 ~" K, \7 u0 S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 m2 y$ } E. k9 _0 Z/ ^3 J5 _" C
/ Q8 s, I% _% r
Note as well that you can easily detect this method with SoftICE:9 c" F1 X$ j m7 |8 U
bpx Get_DDB if ax==0202 || ax==7a5fh
$ \. R, n* K3 V# X$ T/ ?3 Q, V7 v' ^3 I) H5 ]
__________________________________________________________________________
' B7 [, b/ y3 ? ~7 i- L: J) ~& ~& z! E2 \# V1 x: f
Method 10
3 W( q8 g; |& M7 y=========
~+ p( d0 Z1 E6 }& C* m: ?' k
9 B& g$ k z1 k- y6 l2 D# }=>Disable or clear breakpoints before using this feature. DO NOT trace with* D! O- V' i4 N
SoftICE while the option is enable!!
% S7 P# U W) D* Z
0 O4 R& D: Y- cThis trick is very efficient:
3 N0 b: a/ u$ D3 M" d5 T hby checking the Debug Registers, you can detect if SoftICE is loaded. A; T& p, u0 h! g6 u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if Z" r( Y8 y* b. O2 x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. h' E. _7 K; u' q; v8 Bvalue (in ring0 only). Values can be manipulated and or changed as well
' l9 D" `! R; a(clearing BPMs for instance). o- k2 _4 ]& }& M. ]9 d
* f0 \! |4 M& r. I; z" l__________________________________________________________________________
4 s0 Z/ T% i, c& G, [# |* I9 F
5 c+ e$ `7 r9 O3 S! pMethod 11
: ^- {$ X1 a9 b0 ]5 t0 g. A=========* S% t5 m; M' }0 ^
4 ]7 t! s4 H9 C2 E8 a- \, hThis method is most known as 'MeltICE' because it has been freely distributed
8 {+ f0 s' R' Xvia www.winfiles.com. However it was first used by NuMega people to allow
) M, @* H7 N7 y2 HSymbol Loader to check if SoftICE was active or not (the code is located
" A5 Y" k+ n' Q1 f. ~+ Xinside nmtrans.dll).; I! B& t; r& F' J
3 s# s4 X% y4 [The way it works is very simple:
4 u# Z. g# C# p4 dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
^! g4 p1 F3 P3 {, b7 T- sWinNT) with the CreateFileA API.
/ ?. X$ b$ f% K1 z4 i5 C( o( `* r
2 ^0 F$ n. u" ~) A/ l" ^Here is a sample (checking for 'SICE'):4 R) H6 s0 X# H: D7 ~. {
' _& }4 j3 `+ w( S+ N
BOOL IsSoftIce95Loaded()/ H4 b, n- ^# m6 ^% L- U4 [
{3 c+ K: V6 k5 T( n! @
HANDLE hFile; " t0 L _7 p9 x% s( x( a; L
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% }* i0 S& g4 m+ `% A9 o FILE_SHARE_READ | FILE_SHARE_WRITE,
. s6 Q4 k8 ]4 u: B7 p4 o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 S" ]% S3 C# Y7 b) S6 F0 ?# a
if( hFile != INVALID_HANDLE_VALUE )
5 d6 v) @- t4 j+ A+ H {3 g, Q( `* m8 ?
CloseHandle(hFile);
( Q' d# C. i' l" S return TRUE;( N% E% e' B$ Z8 h# r4 x4 Z0 H
}. @+ H5 F( k- k2 Z6 y: |0 S
return FALSE;
) l& X9 H% g8 g9 o' f& y: u3 D}% q; x- x. `* W
4 a' S% e$ ~ {* yAlthough this trick calls the CreateFileA function, don't even expect to be; I+ W' z7 z' o. g9 f
able to intercept it by installing a IFS hook: it will not work, no way!
$ f" ?/ s$ ~' T9 A4 I6 Y+ |/ g/ bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 l* s# O, \0 D; U; L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) V7 L" T: g4 I. a( f( N
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 G( X4 L8 F) P! B# w y0 x
field.2 K7 j, ], S' w% F" d
In fact, its purpose is not to load/unload VxDs but only to send a
% n+ Z- e0 ~" \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- W+ _" [& W) |( T* F4 f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! S7 R) ?# b( ]& \6 h& I6 T; h0 c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. z# R1 D# M( Q* V4 G
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- I' n7 c. j) M& lits handle to be opened and then, will be detected.. @5 V X9 r2 ]* u
You can check that simply by hooking Winice.exe control proc entry point4 I" d& ^- _! ~
while running MeltICE.
' X, ~# D: u. ]7 _- h- R6 v- `* R' Y5 B
: h. W( @/ e9 y6 Y7 x3 g' S 00401067: push 00402025 ; \\.\SICE
) ~% I# Q8 u u 0040106C: call CreateFileA
' z9 ?2 p: I6 e; h5 A 00401071: cmp eax,-001, L# E+ [/ F* y4 E2 h
00401074: je 00401091
- h& _. c* r6 Z. R4 ]" W" m% z0 {
. t; {4 Q f, y7 r( b$ c) oThere could be hundreds of BPX you could use to detect this trick.
1 z3 e7 ]) i5 z4 r, |+ R-The most classical one is:
9 }4 j( m: c7 ?! r# {5 h BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& W/ [4 \/ P* {1 X! x *(esp->4+4)=='NTIC'1 z5 L$ n, V0 ]6 ~
, @1 w( S8 k X6 |6 C0 \-The most exotic ones (could be very slooooow :-(
: w8 T4 }- u& |$ P P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! L% {2 M% @0 i ;will break 3 times :-(1 ~7 L; y( R$ ~3 u
% c" f9 U3 v# r-or (a bit) faster:
/ Q' C4 ]3 S2 Z, z5 E% @( r' o" b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 y; F% E+ {% h; U
: J O2 A" ~2 w8 j; e. a' T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ U4 |2 R9 w5 x2 N0 E2 D9 i
;will break 3 times :-(
3 o$ x% R) n* r* M9 A* T2 \; }5 |. ~2 @! J5 U7 u9 N
-Much faster:1 Y( t& j. a' d, w
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' |& L/ c0 u; x4 Y' N. V
& O B/ H; w8 {: v: DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ t5 h2 C; \2 Q5 [: F9 J
function to do the same job:
0 T3 v( Y" _+ X# ^; v$ m$ ^% g/ C; r
( y) @6 ]" \8 [8 s5 n push 00 ; OF_READ
2 W& N! W: e" d$ L/ Q mov eax,[00656634] ; '\\.\SICE',0: ?/ ?$ _2 _9 h# _, I0 _# {' I
push eax
" H% t8 u2 i8 n call KERNEL32!_lopen
- }& @+ B$ q, _6 `+ @ inc eax
" ?$ F3 {/ @6 `: S5 c$ J5 Z2 s jnz 00650589 ; detected
% O6 Y! U7 ]5 {/ B) X push 00 ; OF_READ
) j& Y1 S8 A2 u5 W2 Y1 q mov eax,[00656638] ; '\\.\SICE'
+ N5 `2 M9 N' H! s push eax' i8 Q% e6 Y1 V: U
call KERNEL32!_lopen
$ R: n- e0 M, b& H5 Q( k8 n, E inc eax
E7 d% R$ \! R ~2 z3 S. k! ^ jz 006505ae ; not detected! Q$ w. u( _0 S& ~# Y
" C9 H" Q" z. c: ]4 C/ G! P$ d! I3 T9 W- _' U- j3 H
__________________________________________________________________________
& b0 _0 T% a( n A
4 u* a- T9 [# K3 z& G+ H ~Method 12, g3 @) @6 V0 ]0 j
=========
4 X* s3 Z/ i6 r
6 U6 S% k/ k$ w- s( {# i: e3 FThis trick is similar to int41h/4fh Debugger installation check (code 05
& y. F' ]( j/ r/ M" ?8 ]& 06) but very limited because it's only available for Win95/98 (not NT)4 u7 O7 l$ d V# ]4 a( R+ X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' E8 c( J" Q1 v+ W. W# s8 b# a% }
d) z9 s5 ~/ n! L' x% q push 0000004fh ; function 4fh( g* K7 G1 U! ^) R& d8 f) Q
push 002a002ah ; high word specifies which VxD (VWIN32)
: b% w2 {, H( R' \! j+ K; l. Z) i- I& [" t ; low word specifies which service- I& w; ^7 k* Q! O" a Y7 K
(VWIN32_Int41Dispatch)
q2 h* `! X+ z2 D1 u call Kernel32!ORD_001 ; VxdCall
3 Z8 h' m7 R' p" A$ r1 f4 T cmp ax, 0f386h ; magic number returned by system debuggers7 q! ^' H* l( m" \$ [5 z0 z J
jz SoftICE_detected6 y8 h7 c4 L( A) s9 W
5 ]! B0 O$ s# B, h2 q" |: F NHere again, several ways to detect it:
5 m5 ^$ ]1 d6 N0 D9 G
: Q7 D, E9 M. {, ]% ~ BPINT 41 if ax==4f+ J& p5 m$ |. |& y$ G
o& E4 w2 q2 W) H BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 e( t4 O9 Y0 F. v9 M1 m$ ~
: Z# j5 c6 ]& M: @" i$ m7 A3 K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( y, y, U) W- @8 V( F- v
@* I& S: e$ c1 j
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ b D% ?1 ~' \9 D+ U
6 g# }8 c! `7 _7 [6 u$ Z
__________________________________________________________________________8 @5 r* j/ f# I
5 i2 P$ p: P8 j; u( U$ n, w) Q; e2 pMethod 13& N( R7 p _8 H3 @4 N, e. A; W
=========
) S, D$ j# ^. O! @6 h* {3 l5 Z% A; Z9 Z' D# {
Not a real method of detection, but a good way to know if SoftICE is& x8 x) o) w$ a7 j" O8 F
installed on a computer and to locate its installation directory.
0 Q* [1 q6 ?* M) c/ R+ A, UIt is used by few softs which access the following registry keys (usually #2) :1 d! C6 M! g( r+ J& o' w$ j# b7 S9 z
9 {$ l, g* e) {: V2 P$ W& h5 r# b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 R4 t$ p, ^2 D4 y7 K2 I6 A( C2 @2 `
\Uninstall\SoftICE
6 u0 U3 F8 z5 E2 u6 X, E+ c( t& V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 M/ E' M3 q" |: Q: ]- `8 v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
r* f2 n) j1 U8 y2 H6 H" @5 c. e/ z\App Paths\Loader32.Exe
" [9 |4 Q, v( X
. E+ J, M+ p5 y4 {/ n
! ?6 B: Q9 X6 @: X$ u& N4 YNote that some nasty apps could then erase all files from SoftICE directory4 b+ e3 |8 e+ q# n+ M, r1 f
(I faced that once :-(( |4 z* k- \- Z+ U, H
; ]/ b% {! \/ B/ A2 x' f( v: }; Y
Useful breakpoint to detect it:
1 O, F5 j+ \- B: Z1 { {7 T( p+ j* x+ a" e8 G' A# l: i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 @6 |! B8 [& I9 O' K% X; \: H* L2 e7 M7 V0 [0 l$ F8 J- K0 H- t
__________________________________________________________________________
! k) Y# ^, V D3 |0 A& ]" _
' P' O: _: |# x3 D# J" N$ R$ `, s( D) a$ _2 Y8 c8 V' U9 F
Method 14 + Y" L5 H( ?5 z7 o3 j% c
=========
1 e' H0 X, P8 v7 c
v0 G% H& @6 k _+ PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 j$ h3 s$ {; k1 W- C. X
is to determines whether a debugger is running on your system (ring0 only).3 O1 K7 x4 O8 A7 q0 w5 l
! v2 v+ I+ C6 n% O VMMCall Test_Debug_Installed5 J& |9 T" m9 Y w- L! x. u% E* a
je not_installed
2 W6 D( A% x# _- ~8 a
: a2 q M3 u: @% m6 P- {* O2 J8 nThis service just checks a flag.
7 @( p" u, o1 Q. F9 P- ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡