<TABLE width=500>" O m4 ~, I+ [; a) `, i) H6 P
<TBODY>
4 f8 T! V, T- a9 S2 ?1 r; P<TR>& Y" @8 w& I' h2 h/ K5 k
<TD><PRE>Method 01 ! c1 Y4 I. a1 [( n. v8 \0 h
=========% y# s: J4 e$ U/ J) O6 f% `
9 [! ?# \6 Y1 O" J
This method of detection of SoftICE (as well as the following one) is& x* l- B8 N2 u) S7 d" ] ^) _
used by the majority of packers/encryptors found on Internet.
4 X( y) R+ [4 n% e3 O2 hIt seeks the signature of BoundsChecker in SoftICE
1 B$ s* G1 E4 _) I5 l* ]4 c4 p+ Z9 l* @8 {( l# W2 v
mov ebp, 04243484Bh ; 'BCHK'
8 x, C7 n0 T/ u6 d( V1 q mov ax, 04h4 l" n/ k, U9 ]4 v- ?' q# U6 r
int 3
3 J7 N: }0 p% n6 p cmp al,47 {3 ~, e% X4 v
jnz SoftICE_Detected3 a6 W2 C5 i" @/ O
* X% n8 X* c6 Z; _
___________________________________________________________________________* V. Z8 l+ C ?
, }. o, D& {8 j) V: \$ NMethod 02
8 O: _; R) c3 B8 ^/ U=========
* `, }! J: d$ f2 m& g. ?$ u, r* E
Still a method very much used (perhaps the most frequent one). It is used( d& {) ]1 M- g2 g/ d# @. H8 D# T
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 Y# y9 t$ v, P" k0 \+ ^6 `
or execute SoftICE commands...# Z/ [- d, P' Q. _8 }$ L$ Q: K
It is also used to crash SoftICE and to force it to execute any commands
3 g! ~8 C5 p+ o8 x(HBOOT...) :-((
' c R& S$ u( p, P e/ `! |
3 q$ i: X- y+ ?, GHere is a quick description:9 M% e# ^+ w6 h/ x# s. I
-AX = 0910h (Display string in SIce windows). f B' [" t. l# d+ F, E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 V4 S- ]% i8 H+ B) N" l5 c1 V6 Z
-AX = 0912h (Get breakpoint infos)( m2 [& q, h% ?$ ^6 ^5 X: k
-AX = 0913h (Set Sice breakpoints)
1 w8 ]" Y0 }- w0 h! o; @; i-AX = 0914h (Remove SIce breakoints)2 U- R3 V. {7 N$ z5 T+ k- g0 P
7 L3 H; E7 j! B6 {& z2 I; _
Each time you'll meet this trick, you'll see:/ ]# e2 |5 S) T6 e
-SI = 4647h
+ @6 _* P, l; @' c2 {-DI = 4A4Dh
: z+ X8 i) E4 E( ~7 s/ |# YWhich are the 'magic values' used by SoftIce.3 h' m( M- F1 e$ J# r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% V0 G1 `2 }: y
: a9 K2 X7 o& s z# XHere is one example from the file "Haspinst.exe" which is the dongle HASP
* t! [$ q4 K* q( hEnvelope utility use to protect DOS applications:2 e" c4 L; {7 X- O$ R
) _4 b/ h F- A% L/ | l
1 a4 v6 _4 O( C" L4C19:0095 MOV AX,0911 ; execute command.
" D* k' _) _, n* ?8 V& `2 }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 V+ y2 O$ \! Y9 D# p4C19:009A MOV SI,4647 ; 1st magic value.
% R7 M: ?+ \+ t/ L6 v4C19:009D MOV DI,4A4D ; 2nd magic value.2 {2 J# m* n7 }' f/ o8 i4 [) @
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 d+ W& F2 p' }! N* x( a/ u4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ c& l$ B9 F+ g4C19:00A4 INC CX% e; ~' [9 W) x/ P( H1 g3 N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 r4 a: N7 O( k" A
4C19:00A8 JB 0095 ; 6 different commands.
6 b) O" ]9 _6 I C4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 N. a+ D* p8 m0 r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, D6 ?! y7 V7 c& f; ^ N3 o. e, `1 _
The program will execute 6 different SIce commands located at ds:dx, which- G8 I# c. W9 G+ g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 r0 F$ X% Z6 q2 S0 `* ?; ~2 ?% t$ R) T$ C1 m! w7 [( S/ R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 P* b' k/ Z% y( h___________________________________________________________________________3 R, i7 X. m& w8 |2 r
* J- h# v ^8 |* p' f% x |6 B0 n. r) M* |% V, l" i* p1 X; Z
Method 03; M/ k. V* M H& Q" B
=========
/ j! c+ ]% T( U/ l/ B
6 p- l" a* s$ U2 {/ {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ B6 q2 J' G1 W; b6 ](API Get entry point)5 U* z8 f: v" O
8 k; a+ h6 \% |6 o
0 P- L4 F) i) ~8 I
xor di,di. H; z# F) B6 y
mov es,di; G0 x: j2 L' B3 E0 v. C
mov ax, 1684h / k- Y2 P. `" _( C7 I' J: {2 c
mov bx, 0202h ; VxD ID of winice
3 ^8 `1 p" R! K: A int 2Fh- C& K' D4 ?. t6 r' e8 W; c
mov ax, es ; ES:DI -> VxD API entry point
7 a p: c6 y+ _$ W9 | add ax, di6 \# h, h) W( U8 X6 K R
test ax,ax6 w4 d$ x2 U& U& z: `9 C* u
jnz SoftICE_Detected3 G6 ^) S, D8 s5 r1 |: Y
+ m$ ~9 D7 i8 q# H I2 a
___________________________________________________________________________$ A- U; e3 F* J3 g5 w
0 F8 ?2 {5 E, ZMethod 04
6 z2 F' [8 }- G: n$ ~( z+ I) E=========8 [5 @/ H1 E% U( G
% y) L3 _0 d7 \8 l/ L. w$ `1 cMethod identical to the preceding one except that it seeks the ID of SoftICE
( x% \; D5 r; Y& _. \GFX VxD.+ q- x: f% g6 i- l
& c4 {0 F: x* Q# d- h
xor di,di
0 E. L5 a+ I4 w) w mov es,di
& M2 a" L: Y% f8 n mov ax, 1684h
, H, C0 I9 w5 m5 s* e- ? mov bx, 7a5Fh ; VxD ID of SIWVID0 z# |3 s5 [! p) |! K% ?7 K
int 2fh
! P) S2 D6 W! W; f" a; H+ L( J mov ax, es ; ES:DI -> VxD API entry point6 s5 c. @( X% ^9 b( A- r/ a
add ax, di
8 I. w$ d. e2 G7 X' T5 d! `# d test ax,ax
2 N, F" `$ z5 @' y8 {( b# l) R jnz SoftICE_Detected# f) r5 Z! w! W7 K$ R
/ \# R- C/ A$ O2 r4 G; P; ~__________________________________________________________________________6 l# _6 G9 a2 f' ^, x" x W
' Y/ b' C P6 D( C) O+ d" o
6 E2 f2 G4 j$ y PMethod 05
: Y* [- l8 a" d# p7 w! s$ e=========
7 g8 i) w. l4 E' Q! I+ x# F* l- z7 y9 W6 g) } e7 O
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ S0 d4 R3 u" G4 M. Udebugger. It calls the int 41h, function 4Fh.3 u/ [3 a6 N' h2 J$ A
There are several alternatives.
1 P2 h$ Z0 w( p9 {6 J5 w9 b7 z/ a/ ~# _$ J- _' h$ e& J
The following one is the simplest:' a: e# N% V) q; a- Z/ O/ }: u- e3 n2 `
, m$ j$ k6 C. A) ?
mov ax,4fh
1 J* r( ]1 h. U P- ` m; C int 41h
6 W. e2 R' `' ]& P6 W cmp ax, 0F386' ?; h, f- F! v
jz SoftICE_detected
3 H5 E7 {, {6 G: e4 W
- c z8 b) M$ {0 |) X3 [# h) `) ?9 V, z* \* E% m& b1 H
Next method as well as the following one are 2 examples from Stone's 5 n! P1 b" Q5 e, X! I2 }6 U
"stn-wid.zip" (www.cracking.net):
9 W8 B3 @! G n% C
! R+ I: ?# n. o mov bx, cs' G9 J% r+ Z3 m6 c% g" l1 C/ }
lea dx, int41handler2+ f$ c% W8 t5 l; i6 {: \. S% j. o1 v
xchg dx, es:[41h*4]
' R$ f' T$ s: p% R. x+ L xchg bx, es:[41h*4+2]: z9 v9 b S; v0 s' s9 s* y
mov ax,4fh. t0 Y# p1 t+ n6 \% a/ D
int 41h
3 ]5 A) M& q3 }2 y xchg dx, es:[41h*4]
" |8 t. i# k, Z ]! t( c/ w, c xchg bx, es:[41h*4+2]& c, ^7 @- f! X- a; H+ h8 Z2 K
cmp ax, 0f386h
6 T u+ [' Y- F jz SoftICE_detected
# s4 t5 |1 z# e0 M. q. Y4 y
) f0 N1 e' |7 f6 J a6 n- Mint41handler2 PROC
' J, L; J1 k" O; q8 x iret4 [8 `9 M9 H0 t* C% g1 Z
int41handler2 ENDP
( T( ?: y/ {$ }) P
# S" { @+ T/ W/ |% i( M! E7 F! Z3 _7 k! T% }
_________________________________________________________________________
# l; O \: l# |" S S( T
4 z- a7 z3 O" a) p3 X$ E
) R! w% i6 \% J& `/ _Method 06' d8 b* ^' x2 T& `, P4 l K& L
=========; @& w. }& l9 h# \, a+ p7 V
@) |9 I' _3 I- G+ ~: W0 {; q
2nd method similar to the preceding one but more difficult to detect:9 }3 d' S3 t0 V8 o. x$ ?
9 ]! _- U& _; `
1 I8 E- s+ o: `0 B6 V }1 h P( k0 tint41handler PROC
, W$ A) ?+ Q- z6 L Y mov cl,al7 r& P) r9 _4 w
iret6 @, E( z7 M) ]! l
int41handler ENDP y8 g6 J: X0 N% F- S) j: \
2 j8 c0 E2 T5 X" r( M% X
' w& a; K; w8 G3 A, F6 Z xor ax,ax. |7 z& P5 A! A' z5 X5 D
mov es,ax* p8 b% H5 k9 k# Y7 U# @. R/ T
mov bx, cs$ J0 l9 r3 ^& C
lea dx, int41handler
, L9 q5 Z( ~1 v; |. B xchg dx, es:[41h*4]
" q% W$ O8 G0 ^ xchg bx, es:[41h*4+2]6 Z% d- Z: p- h% V/ R' o7 s
in al, 40h# S. }% S# [9 }, @
xor cx,cx
0 d: c3 l& g9 B int 41h" t0 x. X' X- M" }; q, |: T
xchg dx, es:[41h*4]9 J _: e* u! A8 g0 e
xchg bx, es:[41h*4+2]9 @" }! o3 q0 U" f5 c' Y
cmp cl,al
& f# A% D. d! i5 F% L$ g# W6 _4 B+ x jnz SoftICE_detected F. }! C& y: |1 {9 s/ J- u r
7 N2 Q8 y* F. N. D. S% O$ v1 L_________________________________________________________________________- h8 ^- ?6 {- Y% h" t
- V% a# q4 @% Y
Method 07
! N8 H* B; Z5 J7 S! v' \=========; @5 S. b/ F0 q- H4 J# b' `
+ j& z+ ? ?6 x2 h1 S; dMethod of detection of the WinICE handler in the int68h (V86)3 ]" h0 i* n, o
4 @# R4 A; ?/ n" z$ n, }: {. c: O mov ah,43h
% W1 t+ H3 R2 V0 C9 `9 l, F' @ int 68h) l2 x8 g, R2 P6 M
cmp ax,0F386h
* t5 n! M+ X( f0 c( z! j jz SoftICE_Detected
, M4 t" ^8 |& W, {; n w+ f' L9 x. C9 g. V" u9 l9 y
4 K% Z) ~+ w5 y" z* h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- z0 t5 {3 A) u2 Z+ m: V app like this:6 M8 \6 A$ s% [3 x
8 D' g4 m1 d! w) N+ [! a BPX exec_int if ax==68+ o6 s1 w/ ~( ]- |' ?! F' a
(function called is located at byte ptr [ebp+1Dh] and client eip is
* ^1 I! h$ U! V located at [ebp+48h] for 32Bit apps)
c# y% ~8 [. C+ \9 o9 Z/ ~. |7 L__________________________________________________________________________# R) f$ s+ K$ B5 j3 F
7 \8 w/ ^1 k4 S8 }* I6 l1 O
4 X! E: [& {2 O1 S% h# K1 E7 g
Method 08
' l. F, f1 P% W! r=========+ J2 `: \0 X6 b
+ a9 @( h- ~3 {3 ], uIt is not a method of detection of SoftICE but a possibility to crash the
6 J/ U* @& E1 @. S; qsystem by intercepting int 01h and int 03h and redirecting them to another& M; h2 v: g* p1 p; h
routine.
C, b. L* U$ ]' k4 G1 H& AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* z) \5 f( S5 _. e. Gto the new routine to execute (hangs computer...)) D' B1 f* p9 R+ a6 x! R2 t
7 |# ~# u d& |0 h mov ah, 25h0 C# j& A$ H7 `% j0 H1 G
mov al, Int_Number (01h or 03h)
! e: f' q/ F, I! }3 n: Z mov dx, offset New_Int_Routine
' U9 c$ i1 C! r: ^ int 21h
& f" V" Q. z2 {! _' w
. ~' K9 f! D1 `8 y, u__________________________________________________________________________
1 x( |. ?1 S% x) {+ T( X6 q
6 v+ X" M4 B/ c8 p# O! V+ o# f7 a0 k6 cMethod 09* t, U% W5 C+ D5 ?( }, y* w) E0 Y* v
=========
2 A e3 h& J N( p! p: l& @
! P3 A- a& p2 W$ W3 {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 j- Z. F E" A% K2 ^0 f8 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).
- L! i' ~' O; p3 n# z0 k' e$ YThe Get_DDB service is used to determine whether or not a VxD is installed( B" a& f9 m" Y9 U6 b+ `
for the specified device and returns a Device Description Block (in ecx) for
" N( Z% {; m: Q4 A" Z( Tthat device if it is installed.! Q% f; O, U; v! }
5 T3 a" l! Q9 @% t3 u0 m3 O! t4 A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 j6 r: b6 }" S2 S/ k- i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. H" Y) F1 `! I6 x! Z9 d. p' F% W VMMCall Get_DDB
: K0 R7 j! I. s, Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* a+ M6 K' A4 {* F1 H
6 P8 c; R( U0 U7 k
Note as well that you can easily detect this method with SoftICE:
. u: z; c/ j" v3 v, o bpx Get_DDB if ax==0202 || ax==7a5fh
9 I( Z# X6 Z2 O7 g/ h$ e$ S/ O. q f8 H
__________________________________________________________________________
1 |( C) G. E) z$ P% e
0 ~4 u# \$ d/ b4 l; T4 ZMethod 10" p- ]% @0 f, z& I
=========
! G6 Z5 C3 f1 o
v0 m: P" J1 p; B- V( I m+ L=>Disable or clear breakpoints before using this feature. DO NOT trace with9 [% r3 P/ i4 S h4 Q) g2 P" V2 q& p
SoftICE while the option is enable!!; b( V) U# m. D6 V
8 g( z; T- S. A c4 s; PThis trick is very efficient:
1 A) s' r u- |+ v. Sby checking the Debug Registers, you can detect if SoftICE is loaded
& L4 i: x; S- s# i. ^- I- p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 w, W, {! S* i# N
there are some memory breakpoints set (dr0 to dr3) simply by reading their# u0 E$ N- A: B1 a2 t
value (in ring0 only). Values can be manipulated and or changed as well
0 \# ?+ Z. d! a2 b/ ~8 Z+ O" z% U(clearing BPMs for instance)
/ i/ w% u5 R; F+ O4 F. ] B& a, \( j! F1 ~0 D" \
__________________________________________________________________________
" L' n9 C+ ~3 n% \+ d3 I* }( |0 u% R8 L3 K( Y7 ` Z( s+ A4 Y
Method 11$ `: K( |2 s3 `& n0 r" l* ^
=========
+ m3 O: X# T2 t8 N' }) c: S4 a5 W, v9 J( J
This method is most known as 'MeltICE' because it has been freely distributed2 o: v: G# H* Q* m- B
via www.winfiles.com. However it was first used by NuMega people to allow
7 k5 C, F9 c' m' T. ySymbol Loader to check if SoftICE was active or not (the code is located: Q0 W# E! l2 x0 E! s/ W/ s2 V
inside nmtrans.dll).0 J( C. T* b! J3 n$ q/ k/ ^
: G1 I# |+ g! @+ Q# H& \( uThe way it works is very simple:/ j2 X% F7 [- W& {" b9 E B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ y4 a$ M) Q1 ^7 s, N
WinNT) with the CreateFileA API.
' ^" W( a" B% B% f' J7 I0 J: ^: ~) l
Here is a sample (checking for 'SICE'):
7 \& K e/ \ \1 B H* |6 Q( \6 T; P+ f; \
BOOL IsSoftIce95Loaded()7 _ C8 }( e# g9 {# d: C& V
{5 f' G" y @$ O! m/ A, e( {' n/ |% u
HANDLE hFile; 1 F6 O+ y) n% v' j0 Z6 D+ B
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ ?4 P; e6 m* Z6 |0 Y# i& H FILE_SHARE_READ | FILE_SHARE_WRITE,
A8 h n9 }% S4 @, x& F2 R7 S NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& t" A5 N# O) J" r' _2 k
if( hFile != INVALID_HANDLE_VALUE )
t6 p1 O- Q4 M/ x {
0 u3 m8 h( K1 @) ]$ V- i CloseHandle(hFile);
% j, l5 l+ x( R. E0 e# T! N return TRUE;
' }, Y1 d. x7 `% M6 I" ]0 j }! K o1 n( S; n' d. `
return FALSE;' ^& X% S4 Y7 ~; o$ E. P
}: U* [4 V- _; [/ f; I# e% Z
- Y( V& R8 a" y2 Y$ [% d) TAlthough this trick calls the CreateFileA function, don't even expect to be' f+ F+ o% f7 a% Q: L
able to intercept it by installing a IFS hook: it will not work, no way!
& J$ |7 p9 C0 U+ H) EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* w' @. E k9 t! ?( n( x& `3 Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 D$ _, S1 h% G% O7 @! m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& x! z) A$ Y. W, yfield.
: i% ~4 s& o3 u2 P) p" b7 ?In fact, its purpose is not to load/unload VxDs but only to send a 2 a. [# |7 |7 ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# s6 o; M0 ~/ |& E7 Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try: c6 p; j! S2 o8 [5 D! i% S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 d4 o. s4 l, K. \/ \
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, x; L P8 V. ^# d# W$ C/ v& sits handle to be opened and then, will be detected.4 w$ @3 I& O4 m- ?# H7 F4 O. v
You can check that simply by hooking Winice.exe control proc entry point8 ^& t+ ~/ r9 a1 I5 j9 C, Y# F& k! P
while running MeltICE.0 n2 J) B7 I6 P5 b, x8 ?
. b; E2 A" a5 X
6 d! a6 K7 j' P: B; w 00401067: push 00402025 ; \\.\SICE
4 i; L- S8 \, Y- z1 ~1 p 0040106C: call CreateFileA& d) i) U+ u8 H8 [/ `
00401071: cmp eax,-001$ O6 I) |9 z, t( B$ _, L& y
00401074: je 00401091
2 T$ e: z3 i$ n5 Y
1 k/ h- ^2 s' I2 l- V& v( T
$ [& } k. {/ w2 X/ v/ b W0 V% eThere could be hundreds of BPX you could use to detect this trick.: m- S+ K& h' ^" p2 Y
-The most classical one is:2 e3 \4 z7 P+ O& Q, Y% s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! m5 {+ D6 y' k& c! K
*(esp->4+4)=='NTIC'4 y6 L7 X8 O) s ?! b
3 |: h2 q: O6 }% I' |$ g* {-The most exotic ones (could be very slooooow :-(
5 j! f* [4 d5 F' X) X$ W& j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / Q" Q- ?4 c, y8 U1 U
;will break 3 times :-(
P/ }5 }# ]( k: d" x: L: @9 ~5 v3 s* E6 N4 M2 ^ P. [1 }' m) D' l
-or (a bit) faster: ( H2 q/ ~# [, X% L6 o! m9 C& B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 [2 t* ?: m" A! j' Q( d: c) N
9 N, l7 F+ ^1 Y2 K& b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 J+ h. [. O5 p: W K# H ;will break 3 times :-(/ ~. H7 t! A: l% c
) ^9 ]8 T: o: [( m+ _
-Much faster:) [* v& V; P6 Q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ b9 _+ _, v& ~: h. A
" j) k' \4 P( Q* o) ?/ GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& ]# G* ]% X5 @ I" C3 o0 bfunction to do the same job:7 P: \; i, N9 n- z
! F. p! b: u* @! z& @% e9 ^, G7 o
push 00 ; OF_READ
& `9 c$ Y J" A( V# E mov eax,[00656634] ; '\\.\SICE',0
4 ~. @# f, u) f6 H push eax
8 r: i" B. \/ f, H call KERNEL32!_lopen
$ P- f: `* O+ V+ B( m7 }/ g! H4 o inc eax
1 t9 J8 R8 ~3 r% Z jnz 00650589 ; detected
+ ^ `! h& y, n( B$ }* { push 00 ; OF_READ
V5 W0 G% m \) u# e# s6 i$ k- g mov eax,[00656638] ; '\\.\SICE'9 ?! o% B q9 e8 ?' ?, n
push eax. z7 ^) T5 S% I) ]/ _4 B
call KERNEL32!_lopen
+ a, Z/ z) K" g2 B0 A2 j2 W inc eax
' G$ ^ j( @& l, X& D jz 006505ae ; not detected
, R6 Y6 [: K4 D4 y# B
# j% E+ r* R8 z0 n, O% A& ~& e+ X+ C1 ~) Z! U
__________________________________________________________________________
, X1 f! s! _& z, P }5 b1 P2 P- M N6 S0 _/ J, Z; Q( z1 F7 ?
Method 12
9 @5 E- J' I0 Y( t' n0 O) c=========! Y9 \2 \9 N' p
) R' B& k; Z# {( E/ ?/ L# iThis trick is similar to int41h/4fh Debugger installation check (code 05
9 J4 D+ d( o7 U4 E: n, x6 B s& 06) but very limited because it's only available for Win95/98 (not NT)% P7 C& G6 U1 w4 }& w3 W3 B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 P8 c$ A, F' ^
" A) Q" u* @$ s0 j f push 0000004fh ; function 4fh, W# P; Q) G; q4 R, ~7 B: L0 F7 Q
push 002a002ah ; high word specifies which VxD (VWIN32)- E Z( j& M8 A$ O5 N
; low word specifies which service
) G$ c( f/ C, n (VWIN32_Int41Dispatch)
) J' } l. p4 f call Kernel32!ORD_001 ; VxdCall
9 c! z5 C) V4 b$ `) G* d% p$ Q( ] cmp ax, 0f386h ; magic number returned by system debuggers, _* l8 F, J: g! v! [7 j
jz SoftICE_detected
) e8 k$ f+ f! P- Y
( x) r+ E* ^ G. `! {. U* MHere again, several ways to detect it:0 @6 o5 W% R3 V9 w6 I
5 k7 V: ?9 g. R
BPINT 41 if ax==4f
; e# d, l# q$ X9 A* G% t0 k, V F! w0 f5 Y, X: c. ~( {( P7 L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ S+ C' ^9 v3 D' O% p! n# V# L# y& V/ ^5 ^* _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 n* r, C5 u) z& e
+ {, v6 u8 `) x7 `5 q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 g6 X( t- w5 d9 A
3 x. ~5 q! H# [# ^
__________________________________________________________________________7 S8 V t2 p) g- m; k w
- ?( F7 g& e$ I( \. |: a3 t S
Method 13
" n4 S7 ~. v+ I/ T4 ^1 ]=========8 W8 Q/ S9 S" m
/ T1 k$ L% X, i0 f' NNot a real method of detection, but a good way to know if SoftICE is
8 @. a( g1 ^4 |7 U3 X) {. xinstalled on a computer and to locate its installation directory.4 c& d8 o2 \& R& e2 e
It is used by few softs which access the following registry keys (usually #2) :4 V6 o2 q& ]7 l+ ^4 Q2 z# S
( g/ {3 a5 q2 r# X$ t9 s8 C) X2 R# x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. T6 x5 r/ a0 @+ u\Uninstall\SoftICE* S, Y" c. c' p8 p) \; E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 e* t/ w) l7 Q$ l' @' c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! a# k$ q( p8 W; h
\App Paths\Loader32.Exe% l0 g5 e/ d% q( X; T
+ {: C! u# g7 W8 m3 U$ b0 R* I
2 U! x" m) q$ V/ |% l& F8 D
Note that some nasty apps could then erase all files from SoftICE directory
/ k+ k# B }. s: c f' f(I faced that once :-() t% P! y; r+ ]9 Y- r c3 a
; V' E) s: y- ]: P/ P$ NUseful breakpoint to detect it:
3 c2 f& @2 \5 | q' i! k6 S9 i0 J/ p& i6 T( m/ |& z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( Q+ x( ?4 h4 f+ j$ @' b7 ?7 O9 B
5 k. \4 _' _. d__________________________________________________________________________ ]. |) h0 S0 N* g7 i7 n" x
4 i, v& ? x5 l. O! d% y* d& e! U, S2 i( c, `* `& F; j
Method 14
# T% z( u' j* W( ^# p! d: z* t=========
5 v ]. p! G- C% E% ]' L# |* u5 W# w$ e' B4 {' \# }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' D8 d0 e& P2 l6 ], Q Q3 S! |8 _' Qis to determines whether a debugger is running on your system (ring0 only).: ~% i3 g5 }( p' {: A3 _
3 t) @, C% Z8 C1 G/ E VMMCall Test_Debug_Installed% j+ O9 T9 L$ Z6 d0 X
je not_installed
; _3 C. |! h. `6 i1 R
- z% ], X+ z1 `" MThis service just checks a flag.. t. o$ @* v) _2 w: U
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡