<TABLE width=500>
4 x- Q+ [4 o9 T) S- F A; S8 {<TBODY>
x7 s" F5 \6 [% U<TR>
" G+ m2 f8 k5 F. @& m) Z<TD><PRE>Method 01
! m8 ]2 X3 O, b=========
2 u w* m/ L" t6 l# d+ ~. ?5 x- f: V( }2 ?# y7 Y/ I
This method of detection of SoftICE (as well as the following one) is7 h C, R" |* U+ E ]3 q4 _( ~) d! Z
used by the majority of packers/encryptors found on Internet.0 e5 B( s4 O# T5 d% K* ?' {
It seeks the signature of BoundsChecker in SoftICE+ O2 ~" i; ?9 z$ @8 b& u, i
0 O1 R' T' M1 a" t3 q. C% Q mov ebp, 04243484Bh ; 'BCHK'
2 m6 ]2 s# o1 Z0 p5 V/ b mov ax, 04h
4 G8 H; R# z+ {! }* n: } int 3
# C0 [1 b% C+ g" i cmp al,48 i9 b, ?. E7 i; h" t4 m% \
jnz SoftICE_Detected
: e: X# m1 c, `0 i( q9 w
7 Q7 v- U1 K3 _) y: ^ j___________________________________________________________________________
% i. b, }. [ y) {( X
3 m7 y% T7 H) l6 MMethod 023 W" M0 F. G6 n% s4 R& Q. o$ Q% z
=========2 v1 ?) b( K1 ?
- |0 K/ ?2 f5 N* N' |Still a method very much used (perhaps the most frequent one). It is used2 g- l# x1 Z- z0 e3 o3 [+ Y6 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& I' y( Q4 b( v/ l3 W" q! jor execute SoftICE commands...
8 \+ V; c. l( J4 aIt is also used to crash SoftICE and to force it to execute any commands
3 p- V/ [" C5 a% q# m, s(HBOOT...) :-(( + C+ A0 m1 l% ~: P }
# s2 u4 z8 k6 ]4 h
Here is a quick description:
7 c. ^& }6 W( n- `-AX = 0910h (Display string in SIce windows)
6 ]- ~" Q& d \0 p' C-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): p+ G5 ~7 s8 u
-AX = 0912h (Get breakpoint infos)
# o% G+ ?% Q T-AX = 0913h (Set Sice breakpoints)
2 G$ M: ]6 m3 M' k* M$ d* w-AX = 0914h (Remove SIce breakoints)
8 @$ r6 H7 G# z4 F
( d6 x% n+ I; ^& hEach time you'll meet this trick, you'll see:
" ?9 y8 Z) i9 \+ q( n-SI = 4647h' ?: `/ c- R* E u5 h% q% O& Q
-DI = 4A4Dh
: q2 L* o D/ W* bWhich are the 'magic values' used by SoftIce.
5 `8 W% }0 \9 c/ v6 fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ Q; S7 ~+ J8 R. F
8 ^+ O/ r, J) V; e( W: \Here is one example from the file "Haspinst.exe" which is the dongle HASP
% H' y6 J& ~4 \- c' h& K, k' hEnvelope utility use to protect DOS applications:- @ X& S# [3 F& ]
M( z5 ^$ Z6 p1 U2 D, L* G' E
0 ~/ V2 a# ]$ p4C19:0095 MOV AX,0911 ; execute command. L/ ~5 n$ u7 F/ O: u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 ?6 W- C" \" b( r1 e) I9 X* C
4C19:009A MOV SI,4647 ; 1st magic value.3 |- R. Q- @; c/ E- O' b _' w: W
4C19:009D MOV DI,4A4D ; 2nd magic value.- ^5 o2 B% K: ^ \4 J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% E$ J \* k& C) [: q: K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 ~* a+ @. K' F/ ^! m4 _4 u, Y4 ?( z4C19:00A4 INC CX
5 q+ l6 E& A+ t I# J4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 S- ?3 n5 s# F0 b4C19:00A8 JB 0095 ; 6 different commands.
D5 |% D, O+ @+ L8 x4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 x2 R/ {. G, [ T- k) N. S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* k6 |9 {, i% f2 t
/ p7 e, _7 w$ b, L: j
The program will execute 6 different SIce commands located at ds:dx, which
5 R7 s3 R. `% c: \6 rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" _ @5 V$ X0 v" @) \. v# J! A' q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. B, G$ i0 V/ A$ y3 e+ y- E
___________________________________________________________________________
. P5 E1 v( d. d/ P
5 T B0 R( [9 p4 _9 M* R
: z1 J$ t, Z9 `Method 03
1 U7 }' X, Y2 r2 P" v=========+ A z% w* p' Z) h/ y1 A
# F" ?9 V9 P' Z" fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! A% i9 d7 m7 V- y3 l(API Get entry point)4 p; m" i) k& G7 Q4 n
+ Z' c- e# m \: w7 @ H3 z3 |3 X
& b1 D' p/ G! s s xor di,di
~1 ~! Y' w& w! j% M mov es,di
1 C. u* Y# Q' o9 l1 ]& p0 n# ]+ ^ mov ax, 1684h
$ i% Z; V, n. E3 ` mov bx, 0202h ; VxD ID of winice7 g: P1 [2 I- F) k7 m: g
int 2Fh
3 m( o5 [6 A0 F* F' \ ` mov ax, es ; ES:DI -> VxD API entry point- \2 q) }$ s i5 I1 i+ r
add ax, di
6 ~7 V' X5 j; R& t) Z3 E test ax,ax
% n& l( x# L& |5 e; P" w jnz SoftICE_Detected
* a1 _6 [; T$ Q8 `( u a0 d/ Y; ^
; w$ v7 j5 z( Q L8 |( U___________________________________________________________________________3 T0 X2 h; c" W% Z
- ^& F) }6 `: g2 `
Method 04
# g* |2 r+ [4 E4 r, d) t=========0 o/ c! x: H4 G7 k4 g2 k1 c
( e/ Y" J, [! B# |7 P2 e# l
Method identical to the preceding one except that it seeks the ID of SoftICE
?4 m8 y" _ G" L, q2 v! i2 X/ wGFX VxD.: z' c) K/ [+ R7 ~- `$ o
& `3 c, B9 F' N8 S# }0 k
xor di,di5 W" v& a7 T2 M6 V; |
mov es,di+ [$ s0 K1 l E4 ^, G2 t& M% A
mov ax, 1684h
, e. F2 i: j& c# f7 j; @3 s mov bx, 7a5Fh ; VxD ID of SIWVID
7 p. k# |, Y* K" D int 2fh# d' c2 x f3 l
mov ax, es ; ES:DI -> VxD API entry point1 G4 |9 b8 ]" T) R. T
add ax, di
/ F5 y8 R( ?/ _8 c: H0 { test ax,ax$ P& @2 J4 l1 k x2 N4 R/ w
jnz SoftICE_Detected
% _5 l5 G( l3 T. I' M% t% n+ Q1 ^ {3 m4 o( J9 e: M" v
__________________________________________________________________________
$ [ A5 [! x% j9 g4 G! u" t2 Z5 D0 I) |* T: m+ p" q9 q3 P' b( a
4 h' N a# S# e& k' j7 G* ?Method 05
( |, [8 R$ L& M9 _- g: @=========* Y ]; Q% A2 n7 G/ L- |8 e9 k
N6 C8 c* P6 W3 D& ~, H1 cMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! @1 ?! Z% ], h* `: kdebugger. It calls the int 41h, function 4Fh.
1 [- o ?: [' Y5 R9 T7 c: T0 ^+ @) IThere are several alternatives.
: _. h: g6 ?, Z
: p$ ?3 [4 w" v8 a, Y! rThe following one is the simplest:
( G( L8 Z; Z+ S( `/ Q" @3 {, U. T# ]8 N
mov ax,4fh& [ m( O2 B ~5 Y; s$ p9 p
int 41h
/ b; [3 F# n7 l, Y* N7 A# t4 X4 d cmp ax, 0F386. t$ P# U. Q2 p
jz SoftICE_detected6 u' Q4 v/ ^4 \/ ~: d; p7 n
2 T( R2 C1 I7 f% v# }$ u L3 t
% j) G! [, g" @7 Y9 sNext method as well as the following one are 2 examples from Stone's ; p* A6 L9 B/ Q+ V2 A1 O& V
"stn-wid.zip" (www.cracking.net):
2 @8 Z$ b; W; U8 V9 }- u! x
1 l- k/ A8 s: q mov bx, cs
; X- R' G3 o% D5 g) | lea dx, int41handler2( N, n' m" x0 `
xchg dx, es:[41h*4]
# D0 e8 ]2 |* B1 n9 d( T( J xchg bx, es:[41h*4+2] i, N3 a& ~+ i. V% k
mov ax,4fh
$ f' P' ~2 x. H8 E7 `+ g3 X9 S int 41h
9 }4 }) @8 G8 G) Q( X2 P xchg dx, es:[41h*4]0 Y! J- y ~2 V! ^
xchg bx, es:[41h*4+2]( O- n' V/ M5 a1 H# q: w( O
cmp ax, 0f386h
* d7 ~5 d8 U) ]- y; I* g/ b8 p jz SoftICE_detected
8 N5 q6 c' e# [# b9 y; j* H f1 G. m5 |) J% ]( }
int41handler2 PROC
% v; f. K7 O, g0 b; _9 \ iret! t O; ]/ e, o) F
int41handler2 ENDP: a. A, r s' S; ^: Q
8 k7 u# {# F* F1 K% H9 h$ Y& M
- }$ l; p, o5 k* S( F* i, i_________________________________________________________________________
9 I& B( U- D- X" F3 c9 l* a- {9 @& j, c/ h# s9 |- a- M
. [: F- g7 ^8 R1 C" ]Method 06# ^) i4 U! s$ S6 i. z, b
=========, w' H) v, e( l0 i' H
" X6 t/ m5 C) L* v( M
6 n( e/ p$ c7 Y ]2nd method similar to the preceding one but more difficult to detect:
$ |8 g7 l# G9 S
; @, }3 M! J+ D& O' l% s t6 {& B3 p: N, r
int41handler PROC( c( `& o1 X* g( n9 e
mov cl,al; p" V1 G4 R2 f: Q& [
iret
- x0 [( q; Q$ B$ a& G; O/ q5 Aint41handler ENDP
9 ]! s* R) t; Y3 Z. C* o: b1 k( i- C: a# \- N: K4 [) J8 P5 Y
) ~. \' p8 Q/ @( ~1 n xor ax,ax
9 u$ e, V) A4 v$ W% D, J0 q mov es,ax
3 f$ O1 U+ j1 n mov bx, cs8 g1 U" _5 O9 b6 h! z$ ^
lea dx, int41handler+ p: H% e! w- j' a$ @ S
xchg dx, es:[41h*4]
% V, ?) p5 s, G) |% n, x8 I9 g( E5 M xchg bx, es:[41h*4+2]# I7 x. C ^' m5 H, x
in al, 40h
7 d6 o4 n9 X: L: X9 @, p xor cx,cx+ |, {, O) |2 t$ K8 {: T1 ?) R
int 41h
$ s: W3 Z6 T w4 Y9 K. ]$ k xchg dx, es:[41h*4]
1 H2 {3 B3 \+ e. q8 g# \ xchg bx, es:[41h*4+2]0 X% m, B6 ^ P- j8 G7 G/ O, k$ n
cmp cl,al) C o) p m; l) w" n
jnz SoftICE_detected
9 l! {/ C0 B# ~3 S
, U& I0 }; T1 e- }+ n) z_________________________________________________________________________& n/ n+ A5 I: \5 P
$ c1 @# {8 l+ b7 T8 f. R; y5 PMethod 07% W4 y) b# M8 R* v
=========: h) I6 y" ~) a. q+ p$ C6 V
5 h( ?: U* y3 |9 d# i# }0 NMethod of detection of the WinICE handler in the int68h (V86)* T; E$ [% p- p+ J& [7 D
2 W5 }' y9 j) d% L3 L0 e
mov ah,43h. f; o* P R; a, w3 F- Z
int 68h
$ L$ D) C, @# Y. ]# ~ cmp ax,0F386h
: D1 x5 v0 a. ?3 f( l8 r) s' R jz SoftICE_Detected0 B! K( r- P- T4 r! z2 }
8 U2 v# S/ h' M, w/ ~* @2 r# ]
$ b/ k. D/ C) e# w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 d0 {6 c/ X! o% z& Q: m app like this:
1 N; O6 _ C( a+ |4 _- c4 d) c3 F* X3 n) `
BPX exec_int if ax==68
2 Z9 O& ^2 F5 X+ S (function called is located at byte ptr [ebp+1Dh] and client eip is, A4 w/ U4 {- \
located at [ebp+48h] for 32Bit apps)5 }6 ~2 b: T0 P' k- H0 I
__________________________________________________________________________
* q% Z+ H4 l# a: J h& [4 D7 q! J8 m' A' F
, ^8 t! g+ G; D+ n) o# t( [
Method 08# @8 k$ h# ?+ s3 T x
=========
: B7 q# H' _2 K& M3 W, x
) Q$ X; c0 c3 N- C, ~1 l/ FIt is not a method of detection of SoftICE but a possibility to crash the8 r8 |* g. F& I- Z6 C+ B! |; B, T
system by intercepting int 01h and int 03h and redirecting them to another
" ^8 @: }8 G% Xroutine.
- Y! N2 O* _9 ~1 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; {8 `! C. j% D0 A; X
to the new routine to execute (hangs computer...)) z/ K- Z \% q$ E
: [6 b: }4 d2 o mov ah, 25h
6 L" K! ^5 Z# h. M( O* m mov al, Int_Number (01h or 03h)( T) d. }( u3 H, T2 ~
mov dx, offset New_Int_Routine
; H7 P! x0 a+ @9 R4 \- I( V int 21h
& r3 }$ Y; p' o* M; b
7 ]2 d1 P- S% T3 j5 h- G__________________________________________________________________________
) j r" e4 r" b& F2 f2 s4 |2 S/ c3 z
Method 099 |' q2 i Y( P) G: i
=========
, l& [. B9 K- K2 c+ Y T1 o |7 `1 y- N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* z8 y: p5 n1 n% \8 _8 K& s) N
performed in ring0 (VxD or a ring3 app using the VxdCall).# f. H( q. F+ l% U+ }! @5 X) x
The Get_DDB service is used to determine whether or not a VxD is installed3 @' P2 Q( U3 h$ R* q, B
for the specified device and returns a Device Description Block (in ecx) for# J9 T! Z" r& a" h, y/ b
that device if it is installed.2 Z( c G" _3 @* ?3 m2 l
" v6 \+ ]* w& X" \2 k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 \, B( F6 Y4 v5 y6 z0 v1 B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 c' o3 W6 Y K& j5 Z
VMMCall Get_DDB
' Z) N: T5 X8 H0 z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- p6 a/ x0 j# K5 I' k
7 W+ @+ H6 |1 m w$ Q( X# ~Note as well that you can easily detect this method with SoftICE:
8 X( R% p- e+ }& { bpx Get_DDB if ax==0202 || ax==7a5fh$ t: }9 j7 y5 R+ Q1 d
3 y* ]% t& ~1 |2 W7 ^% v# Q
__________________________________________________________________________1 ?. i# \- F) h6 \
# R$ z3 |" X, J2 ]9 I" D
Method 10
' @: c& K- g* _7 d( I) U+ e% f=========
( z9 ]% T% W/ r! ~; z/ N- g
" q8 A8 P* _3 y% C. u- E9 S=>Disable or clear breakpoints before using this feature. DO NOT trace with
# T0 k8 Y9 n8 S SoftICE while the option is enable!!
& z; G( @ O+ c) M5 o8 {" k- X$ s$ G2 a N, n T1 _
This trick is very efficient:1 J6 d- n# O! S
by checking the Debug Registers, you can detect if SoftICE is loaded( Z; ~; H* S4 X1 x o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. x; x* {, Q$ X% S: n0 ]5 m2 u2 Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 b% H1 S/ W- T! U
value (in ring0 only). Values can be manipulated and or changed as well
}# J: s* v" |; ~, p' u9 Y(clearing BPMs for instance)
$ g' x: j$ H4 t' j( A7 M
. ?. R* |+ B& l$ v1 J( g__________________________________________________________________________
- C/ n! h8 b' Z+ c) f. Y `% Y5 C: r% s _. p
Method 11& _& B1 B. w5 N5 ]. t) X! m5 X4 X. S. X
=========; `, d3 t6 `( D S
" G; N$ i/ ~ y6 N4 E
This method is most known as 'MeltICE' because it has been freely distributed
8 k, a2 j4 {4 C" f6 cvia www.winfiles.com. However it was first used by NuMega people to allow/ @% p" E! r* `6 d8 I/ a
Symbol Loader to check if SoftICE was active or not (the code is located5 n7 U3 C* {, J. u% U! n, }
inside nmtrans.dll).$ z$ S+ U3 y! t: d; E
/ \. P8 E2 d z& fThe way it works is very simple:+ k7 Y& F6 Q( \" ~5 s1 h- ?' n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 Y, H" L5 R# H8 bWinNT) with the CreateFileA API.
2 _+ @; j& A) l- O; y6 m$ ]' B
; J* b: v$ i/ u8 @* HHere is a sample (checking for 'SICE'):
+ B4 D. N& L+ K# O/ b. w' v# [
( c3 w3 @; I+ ]9 lBOOL IsSoftIce95Loaded()
, }' A' N$ `4 ?; C{
' C+ e1 @ u r* j' ?- [! B9 j* K HANDLE hFile; 5 Y# V7 [/ o9 T0 `/ q, M; {4 E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 z9 F0 a- }( r, {! z FILE_SHARE_READ | FILE_SHARE_WRITE,# F% G6 J" C* ?7 n7 ]. A; Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* v# j/ p. K0 S; G! x
if( hFile != INVALID_HANDLE_VALUE )
, w6 E9 X5 C( C1 v, m {
8 L1 g" W K# u2 s; H' B% @* Q1 k CloseHandle(hFile);
; P+ k+ T ~! b" ~4 e% v return TRUE;
, K2 U/ ?% O* |4 l" H, O }
9 i2 q1 m3 d J5 R* H return FALSE;8 I- m" d' e5 C9 G
}
% p9 H1 U- r! E0 \# s; i9 ~2 w
3 D" \5 A' v5 M7 DAlthough this trick calls the CreateFileA function, don't even expect to be
" F7 Q5 t- C) {9 Rable to intercept it by installing a IFS hook: it will not work, no way!5 ]$ ^ ^, _ m. m- `" I* ?# m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 M% P' Z' }7 k. X0 A+ f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" p; }9 P6 G1 G4 H) @ j4 A7 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" s1 I' O% C1 I2 v4 S& j' Pfield.5 {$ H' ?4 \' Z8 z9 d2 \8 e2 \8 D @
In fact, its purpose is not to load/unload VxDs but only to send a # r: H, T6 m5 R2 A" w# C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) U/ n3 ^" T1 F P7 A2 {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( Y* d3 t- g, ~8 m9 X: h" M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 V7 k9 @/ C4 T; zIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 K' p5 F! M* }4 O4 h% b: n
its handle to be opened and then, will be detected.
% |9 t0 M' n$ l) fYou can check that simply by hooking Winice.exe control proc entry point
. \& ]! y1 J( O$ Y' p0 E h5 Kwhile running MeltICE.) s& d2 F, L) ~
9 W' s& b: Z+ ~
2 M, |6 |9 a+ X" R9 A3 O1 Y. u 00401067: push 00402025 ; \\.\SICE
6 U4 D* k+ c8 }0 Q 0040106C: call CreateFileA% u* B1 n$ x$ G# ?
00401071: cmp eax,-001
, W9 R4 [! [7 x& C/ X 00401074: je 00401091
w. o1 Y- O/ H
! v- R G }2 V1 V$ G2 _# y3 V' q3 a# K, j* b$ D- ]' T7 g& D$ ]3 o
There could be hundreds of BPX you could use to detect this trick.6 O9 N4 R/ _1 u0 B
-The most classical one is:0 H; r6 I5 q8 Y( ?- A( ]5 `4 H8 H. e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ {2 c3 H3 T, a0 e L
*(esp->4+4)=='NTIC'
7 M9 Q# r/ ^& N7 S5 G4 @) F6 ~) h5 R# x& G
-The most exotic ones (could be very slooooow :-(! Q& `5 b2 U. f, S9 c+ z1 ?- [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ A; \* }3 p4 ?; H* f6 d9 X ;will break 3 times :-(
; d6 r& e7 t& b1 W; Y# D1 X% a$ z: K: i9 W
-or (a bit) faster:
% d" \$ P: s/ I0 q' V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, A% L x/ a. v, m2 J! ]. ?) Y( y
7 }7 [: Z4 g5 @4 Z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
H9 h: Y6 P& f( u7 u ;will break 3 times :-(
( G0 X" S% W9 _1 [
8 q( t6 ] ]# `. p-Much faster:
& Y% W* Y0 u, U5 e1 P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 }* l/ }( ^- A- P% R/ }
) L5 U$ _, F& c9 p$ L$ [4 JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; `" z) Q+ e# H- h1 Y3 ]3 C
function to do the same job:
. ^5 A" D' i9 u/ F0 Q7 W- N' f/ v" b2 @* w4 Y* Y9 u
push 00 ; OF_READ
. K8 }3 r6 L+ B mov eax,[00656634] ; '\\.\SICE',0
0 K7 m. H3 g! a9 u push eax, b+ v: ^1 q$ i5 ~& |9 ]
call KERNEL32!_lopen
; G! r! P- K5 c8 a8 Y/ B inc eax
& B" b, R4 j/ t( I; `9 @ jnz 00650589 ; detected3 v* T9 K9 w+ q( b- b( u
push 00 ; OF_READ8 ~5 K p! F8 J, h" s; y2 q! v
mov eax,[00656638] ; '\\.\SICE'/ T/ c& b/ Y1 p8 d) E3 x: j
push eax- Y5 Q/ T4 Q" j, D
call KERNEL32!_lopen7 n$ o. u2 ^5 \9 b# V/ v
inc eax
# z8 U) P9 w- D jz 006505ae ; not detected8 i L' l4 V+ t' ]5 }0 N: B
( F. @" h# y% s% f# Q: h4 a3 s0 |- [
__________________________________________________________________________
8 v) T: H8 ?' v' s! o5 h/ p# e! p& w9 U. E% l! s+ v
Method 12' V* ^# o$ A* A% H
=========
7 ` s( _1 E! ~. }, k' }0 G
8 @- n- @1 r9 ~This trick is similar to int41h/4fh Debugger installation check (code 05
3 c L$ {5 d2 n, _& 06) but very limited because it's only available for Win95/98 (not NT)- R2 V, w- p. I+ I6 x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ \8 C% s) W& \6 a' a+ J2 q- b# g
3 P' W0 I" V H2 n push 0000004fh ; function 4fh3 i' ?, a5 g$ s8 v" U! w0 ` _
push 002a002ah ; high word specifies which VxD (VWIN32)* L3 n3 @* R& G8 |, V) N* q* q: |
; low word specifies which service
6 B# e5 `! [0 M$ C1 X& a (VWIN32_Int41Dispatch)
# j+ F4 F! t1 F6 H( l- H% w call Kernel32!ORD_001 ; VxdCall
6 H# K+ w ?. v. l# u: g cmp ax, 0f386h ; magic number returned by system debuggers. g" h) x: t/ o8 T2 Z5 U) c' Z
jz SoftICE_detected( |* _- ~' ~& k7 m" y/ y# g
: d6 j8 k% _ h- J8 H# N/ U7 wHere again, several ways to detect it:( \9 _ s+ H1 m/ o/ I* t- r
# ?: K/ U8 y# V! ] BPINT 41 if ax==4f/ b4 ?: J5 K% i
( k& p" z! U# r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( {! x8 d/ r4 F
% i9 A/ |/ _' R$ s* e. k; K! O, P5 t
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, G2 v0 h' ]( u$ J. c
0 s2 d/ ? H6 x4 i4 H& ? d# M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ C4 g/ v- d3 O; n$ `' `, l7 S V1 g+ F. [. a" u
__________________________________________________________________________
; r5 n. `0 D. o4 U0 ~. J
7 W7 _' r+ y' z, W* QMethod 13. R" Q& ~- N, a' F7 E
=========4 V) H" f( e: J/ u/ V( y5 ]
( Z5 n$ R; N6 I4 @/ kNot a real method of detection, but a good way to know if SoftICE is
/ Z4 p4 g; j0 l G' q! ainstalled on a computer and to locate its installation directory. l6 I& c; }9 t4 w) V/ k9 y
It is used by few softs which access the following registry keys (usually #2) :
h: n; w# n: G7 G- H6 O: ^4 C3 b/ t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 H* N, k5 v" l; J+ d$ Z\Uninstall\SoftICE& K" t$ R6 p- f' ~; A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 M, Q# x( a# K; p& a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. {8 k6 B5 ]/ ~( l8 J' Q\App Paths\Loader32.Exe) `& G7 @/ M0 X8 W$ H# p3 h. v
) T r+ l5 S4 O5 |2 ^* U
: B A0 x8 G/ _Note that some nasty apps could then erase all files from SoftICE directory9 d+ U% m8 Q( p x
(I faced that once :-(
$ ^3 }0 L M+ z t$ N
" Z3 o: w+ I/ q$ @6 i9 K* L8 OUseful breakpoint to detect it:+ [9 [% H+ \) T. ?
( Q8 O& k9 r- F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 |# k5 s0 @3 ] K) m) u4 ]9 L2 l0 L; Z8 [
__________________________________________________________________________9 A& k9 S, K6 [! U+ G) l4 Y. f; A
/ p+ H4 ~) _8 q0 N- \
' h3 x3 p7 {4 I Q s4 j
Method 14 x$ V, p& B. ?% c1 L2 F$ l
=========8 b! |" t0 z7 D% Q! p( d* x
- A* q) t3 c' f# n& { ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 m7 c" W9 w# U P5 |+ ?+ f
is to determines whether a debugger is running on your system (ring0 only).3 l! N5 v& {! @' }
( a6 U* C) b7 e2 Q: v- s
VMMCall Test_Debug_Installed& a \7 ]. ~2 } G+ q T6 N) j
je not_installed
$ s z/ S( |- ?) p# ]4 S% R2 A
0 Z0 F2 d5 R' yThis service just checks a flag.$ i# V& |! D: r6 h: E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡