<TABLE width=500>2 [& s' N& u! o
<TBODY>
+ ?; C9 x8 R7 h<TR>
% S' k5 z# T/ X1 N# f( E/ L# A J<TD><PRE>Method 01
& h; s- P, I9 F( }=========3 F6 ], |) l/ a$ {* L
4 }+ l: z J# CThis method of detection of SoftICE (as well as the following one) is
( A8 B" Y* `7 V; tused by the majority of packers/encryptors found on Internet.
" r5 w0 K( Q+ ?6 w$ s# uIt seeks the signature of BoundsChecker in SoftICE9 o" y" x/ C- K, M/ X4 A
! v- Q8 ?5 N# r G/ n$ v mov ebp, 04243484Bh ; 'BCHK'
4 A) E1 A) \& l1 q- c: R, I mov ax, 04h# e% {8 ^* n1 @6 p! V) |
int 3 : `1 a2 [$ V; C# y0 p2 l- C% r D
cmp al,4' h$ q" p' Q7 ?
jnz SoftICE_Detected
0 K" F0 O5 v8 h4 n. i2 h/ [4 p5 j5 e% ]
___________________________________________________________________________
% p( g5 d& G1 _3 i8 P. n. V- D$ I5 A: v# p# J' {) N) _
Method 02
# l/ d5 B: ~) z J w3 l=========4 ]/ e: C3 ~* _; `4 {6 L
$ K( Y" m5 \* X6 y' S" e& x, WStill a method very much used (perhaps the most frequent one). It is used
8 a, B, u7 i; }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ U$ u! N% s9 J) J' Y& [
or execute SoftICE commands...
) B7 t7 t* \3 QIt is also used to crash SoftICE and to force it to execute any commands
4 x2 i$ F H9 T4 p! E; G(HBOOT...) :-((
- Z, v3 n4 R2 ^8 M* w" m4 t
3 ~8 i6 C+ G r1 g# nHere is a quick description:
# D; ?' ^0 U/ L5 B4 t1 W( j-AX = 0910h (Display string in SIce windows)( D9 X0 M" S( l% b, j* [0 B* b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# r7 a2 B' J6 R# ]. i* t-AX = 0912h (Get breakpoint infos)
7 [' F0 m/ ?6 o$ V) U* G-AX = 0913h (Set Sice breakpoints)
b# k, K8 M- w% I0 ^4 j-AX = 0914h (Remove SIce breakoints)0 R+ K4 Q, n p. f! v
8 ~ W6 x2 Q4 z4 `; P
Each time you'll meet this trick, you'll see:! d, Y+ ^/ h, Z9 a3 R9 ^8 \
-SI = 4647h
8 U% f) R4 W. Q( E-DI = 4A4Dh
7 q( ^" N! E, ?7 B& V0 z3 A6 |Which are the 'magic values' used by SoftIce.( q1 r; N1 F2 y" w7 Z* ?) ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 q D' H+ B$ h# P! a, _
4 c0 J$ t" Z5 w) e0 A! f* k; ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 _6 U6 Z2 s1 Y: a) [+ U: K
Envelope utility use to protect DOS applications:; U; T5 k3 w5 [9 r9 ^! C
j/ H j- ^) ]
# V+ v6 l+ T; W; y3 ?4C19:0095 MOV AX,0911 ; execute command.
# V D) L$ m" e5 K2 R! R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) f! ?" ]1 v" `
4C19:009A MOV SI,4647 ; 1st magic value.3 `( d5 _6 g1 {& q+ G" P7 ^
4C19:009D MOV DI,4A4D ; 2nd magic value.9 l4 v$ f) u9 p* `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: y l# a& w) [# J$ k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( q: D, W2 ~3 L& x9 L5 ]4C19:00A4 INC CX
+ z! a* q& t3 s9 V0 F: {% o8 s! K4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: @' Y/ ]/ ]4 f; W
4C19:00A8 JB 0095 ; 6 different commands.6 T$ F/ j$ o' x4 S* q+ n
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* O; ]; c) K9 a0 T3 ^6 t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( v2 X5 l+ I. e
8 |& c4 S2 z V" L1 |The program will execute 6 different SIce commands located at ds:dx, which6 Z+ a4 a. p6 ] Z. ^' ?/ G3 x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& d' ?# ~; ]$ I
9 D8 r+ X$ v) t6 s5 B# l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; M/ G4 P7 f% S$ u
___________________________________________________________________________
. Q! u1 u3 Z7 K! g, {. {$ {* d
. b' U" X, K, q# U, \6 D( p
% h8 j2 [/ Y1 f, Z4 E/ t1 Y8 FMethod 03
( ~! ]' _' P" r=========
# @ Z" t0 F* p4 m0 J& a) v( [- S; ]0 @- x9 i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ Q' b4 x% @0 x8 Y+ |; H! g(API Get entry point)4 s, C0 Z' n9 h: V; P, O5 a7 K
. f& x0 P, i/ k( u/ P9 V) G* S$ f; t2 p, p( J1 r
xor di,di
- ^# a1 f' h4 [$ b" i mov es,di" a- N0 `/ p" Q* @! e z; K
mov ax, 1684h 8 [8 A: |! X9 [* {" I
mov bx, 0202h ; VxD ID of winice/ _ T$ n0 A ]+ \( ?8 ~6 h/ ^' ^; i
int 2Fh
. Y4 G" F, l+ f2 |& i1 P S: h mov ax, es ; ES:DI -> VxD API entry point& S" U+ }6 u6 w9 y( J2 r
add ax, di v8 f) e" E' S# Z C" R
test ax,ax
% D3 P8 R9 @' k' C; I+ t2 }2 p jnz SoftICE_Detected
) \$ u. B! ]& ^% F0 ?* J' q6 I0 L. S& p3 n6 \
___________________________________________________________________________
4 W6 U: }% ^$ p- f
+ P- L+ i" T- {# K A/ v* QMethod 04. J" f5 t3 V9 n: b* C# L
=========
$ u. y7 j) S5 p
2 Q5 Y, r4 p) I) H$ MMethod identical to the preceding one except that it seeks the ID of SoftICE
E/ F6 l( j ]! ]( YGFX VxD.9 O' d' h4 E9 u. g% g# J$ c8 O
9 ]+ ~; c) C) i3 a9 f8 }
xor di,di9 B' R" h, k/ d7 I. H+ t& E1 e
mov es,di
) c' P; L$ U8 k" n% H mov ax, 1684h
/ g/ `6 N2 g( @# F" i8 E mov bx, 7a5Fh ; VxD ID of SIWVID8 h. _" {/ t8 W& F% g, ?
int 2fh
( G' ]; q4 P: }% r6 y mov ax, es ; ES:DI -> VxD API entry point
, S1 `3 O& q! ] add ax, di4 [$ @/ ~2 e/ w
test ax,ax" M% F, _; W3 w6 ^$ |. Z% `! R
jnz SoftICE_Detected
0 I. N( B+ i" J, l# ~+ L
4 o k- d/ _0 Y3 p7 n! `__________________________________________________________________________& @5 q+ R$ V: j' g
1 l5 ~1 V0 r, n" }
0 e& j/ L4 X& X' l) \# _7 u9 t# }5 AMethod 05# D7 H* Y7 d- X+ A- B+ e9 b# x: T
=========
0 q5 S% ~& H! r% G
+ x. l: y# p: `6 J' s- \- \Method seeking the 'magic number' 0F386h returned (in ax) by all system
& u2 u* ]8 Y! ?3 i7 H E2 H' Xdebugger. It calls the int 41h, function 4Fh.
# K- a( X1 E/ R! e1 ?7 RThere are several alternatives.
+ q% K3 u* O* @( \; u$ Z7 |3 |* n1 i" T/ F/ j& P6 V- a
The following one is the simplest:
' N1 m; A2 G7 ~4 v: {1 ]) Y
* w" N3 M! P1 ^5 l9 F9 j mov ax,4fh% i( I' Y+ R3 j. a, B6 B1 N, E$ _
int 41h
9 p. I/ `8 |" { t: T- Y& }/ Z1 z8 ] cmp ax, 0F386
* i) b3 j- O9 g: R* Y4 P4 ^$ j! O+ S jz SoftICE_detected
/ U8 i$ l5 O! b9 J3 _6 ]; D) R# b
# w2 |8 _% e4 c4 l0 U
$ L( R0 z3 K1 m5 H9 JNext method as well as the following one are 2 examples from Stone's 6 C+ k; ^) p9 Z+ d% d2 v7 T" E
"stn-wid.zip" (www.cracking.net):
5 ~% i$ w9 B6 A0 i
9 S/ m$ Z+ F" {" A mov bx, cs; g# M7 r" p) _ _6 B$ ]8 }
lea dx, int41handler2( I! G6 b; }3 b t) n0 V* w0 O
xchg dx, es:[41h*4]
! o: D9 U8 b" u) p' F% g' Q xchg bx, es:[41h*4+2]4 e+ F( D8 m7 z1 B0 G. k# q
mov ax,4fh; e( I5 a" K* r' b
int 41h' k1 C. ?* C8 G2 \- V& H/ X& z
xchg dx, es:[41h*4]( t/ c8 i: G) G7 \ E8 R! L
xchg bx, es:[41h*4+2]
. \# N) ~' e4 H! A8 l# V cmp ax, 0f386h
' v8 P6 @8 _( p% M jz SoftICE_detected$ X: l. z5 y! U. H ?4 L
3 j$ n: r/ d6 n$ w6 Cint41handler2 PROC/ A3 E: M2 J2 j7 y
iret
6 {8 M9 k- |, O1 R2 d: O6 `int41handler2 ENDP; }/ V: @, W# l7 k. i; m7 q
; M7 i+ C6 u8 Z1 h7 H
7 h+ T/ m) Y4 c, d( F. w" q_________________________________________________________________________
7 U' x& L7 V0 x, _/ M5 V6 I; x% i0 B6 `4 n
' |4 z4 @' Q1 S" Z' K
Method 06% C3 K, }1 l. ^, R* o x9 L
=========4 m/ r v, F' f5 |4 n* d, {
% B, g% u0 E4 c4 }, r8 `
8 o: h4 Z8 V6 n! k# E+ I# ?3 \& }2nd method similar to the preceding one but more difficult to detect:9 W6 N* q2 l9 D2 ~ }
- K M6 Z! _3 Q. K# u! H( Q1 ]
" t' w9 Y, X. _- \: b
int41handler PROC
7 }6 R$ }1 w; U( q mov cl,al/ L) W! X& f( b
iret
v" T. j+ @ o# k: Mint41handler ENDP* ~, D, J8 e* T* N# y8 n
- n) E$ k! \/ Y
6 x: g4 d1 m6 }, |1 H; Q xor ax,ax
( m. S; E/ u) [9 `& n. E/ i4 l mov es,ax
5 a: v* @/ R4 V6 p" l mov bx, cs3 W* y4 q3 v. e0 @* u! a r' f
lea dx, int41handler! L, {7 m) g: C2 F
xchg dx, es:[41h*4]4 q# B" T4 o! X1 r) y
xchg bx, es:[41h*4+2]
* w8 K* W0 M2 z1 S5 U2 ^ in al, 40h9 Z( Y- ~7 C3 {: n: B( i
xor cx,cx4 N c4 e g, @! ]" \+ g8 H: k
int 41h3 \2 g m- }% B. L
xchg dx, es:[41h*4]7 R* y. c, d- `7 W O
xchg bx, es:[41h*4+2]0 {$ v4 D5 h1 H
cmp cl,al
% y7 F% Q9 T E! ? k jnz SoftICE_detected7 [/ G4 p+ _4 [6 C2 @
! Y9 I& p, D( g* T
_________________________________________________________________________
F8 q6 x/ C4 N$ d3 ~3 w6 d6 e9 S( U1 T& [/ U$ |8 u6 S
Method 07* \8 l/ m5 S& K( f7 A# s' |
=========
6 I0 q5 A4 P5 y2 l7 D% D" l# `
& C3 ?* I& d7 m; V6 M [Method of detection of the WinICE handler in the int68h (V86)/ x" \& U4 X3 U2 e; h. H
" I' \- ?0 I/ r& @2 f mov ah,43h
9 `" G& s8 N7 N- \" t4 g int 68h
6 r! U. f- A* S4 _! R% G cmp ax,0F386h
. e$ n9 p, P7 {2 E: t2 E jz SoftICE_Detected. i) c! \! ?( P3 }$ Y$ k
9 V H/ j" A; W, Q+ E$ ?7 m
H6 t/ b6 g7 e! j9 A* L/ p
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- v: z2 R! |+ G9 t
app like this:
/ |7 g; H x. U2 H, M; M- d. }9 j% ?* l: B
BPX exec_int if ax==68$ D6 R! D1 B% `7 K* d5 ~* k& T
(function called is located at byte ptr [ebp+1Dh] and client eip is# i# D' `2 C0 t/ E
located at [ebp+48h] for 32Bit apps)
, u2 T0 K4 N4 a3 u5 r__________________________________________________________________________
& ?; j- s, }/ [6 o" Q& \1 p' u! Y$ Q. L2 x2 b9 K E
" W* U; A+ N* k, d! U0 I( _* \Method 08$ O" d5 L5 b9 T' e7 m
=========
4 B2 e! R, m7 V- ~; x* I
' S" M: l& a5 ~ jIt is not a method of detection of SoftICE but a possibility to crash the4 y. D! U9 Y9 |' M
system by intercepting int 01h and int 03h and redirecting them to another
9 W% H" f: p& broutine.) p3 X4 }1 ]- i2 O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 R2 M. ]6 p( v& w
to the new routine to execute (hangs computer...)2 i2 P% a- C0 L
1 F# F% o2 A% i% H1 n0 Y mov ah, 25h8 N: [5 t% W2 l+ @
mov al, Int_Number (01h or 03h)
- q4 W# F) ^4 \: c7 h$ N mov dx, offset New_Int_Routine
6 G% x. A6 \( F; [: F* M( c+ D: L int 21h
! E, i& r7 V; W: H- P" w, C' _
- S4 u% s. p# c9 l' w7 z8 t__________________________________________________________________________2 D- Q s- O5 ^0 k( r5 Y) Y
; |, n2 ^5 C) J
Method 09
; G& L% |6 p. M q=========
' \' }4 U- D& k$ f
4 m. D6 K( s; S, Z. i/ j0 wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 O( y; y- M9 z5 }, k2 m/ O% z
performed in ring0 (VxD or a ring3 app using the VxdCall).) Z3 \& {( X0 L( G1 k" Q. b) [
The Get_DDB service is used to determine whether or not a VxD is installed
, a; k! f0 J! z/ P4 d+ Qfor the specified device and returns a Device Description Block (in ecx) for( B% ], l2 h3 r- v
that device if it is installed.
* q' c0 k1 g" [( v2 s, `4 h% w; o ^) d6 y: a6 q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* u3 t- { y/ @" J% ]. f! r
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! c t6 F* s7 b5 Q4 V$ ^
VMMCall Get_DDB
8 X: X$ a9 L. z" w+ K9 p1 J* Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! Z+ P7 Q) m S+ A+ H6 s, S' m
# Y+ s6 X8 V, JNote as well that you can easily detect this method with SoftICE:
. s1 _$ u. D: | bpx Get_DDB if ax==0202 || ax==7a5fh: _" N% c- A( h n5 x1 w$ y- C
8 ]5 `& W; a7 x# B__________________________________________________________________________
$ d4 i/ a" I% A2 h7 Q
: A( [4 _/ K( a1 l; LMethod 100 r1 m) y1 \! m+ A3 C- p
=========/ d- a S7 d! ]$ o* w' L
; u" S' R, B# N7 C5 u=>Disable or clear breakpoints before using this feature. DO NOT trace with
: d: |" H5 W& d0 a) K4 B O SoftICE while the option is enable!!& j1 L) c7 C1 D5 `
/ t9 Y0 Y8 y C6 Z% S* g
This trick is very efficient:
6 U% y0 d- @$ H xby checking the Debug Registers, you can detect if SoftICE is loaded. j7 W, ~. R" n# C' [# f
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! R& \! M: {0 l+ y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' E; U$ F D7 b# z- J6 Wvalue (in ring0 only). Values can be manipulated and or changed as well
! q) N4 v- ], b. F, {1 O" ^/ E \(clearing BPMs for instance)
; c# C' n; w7 W6 b
4 a& `6 L# ^3 w) p9 R4 D2 b__________________________________________________________________________6 e' ^0 d4 _% D8 C' g i. z0 U
# ~, a! a' T" R* V( w9 d+ x
Method 11
! k* U* U/ z3 d+ u( l8 ?7 ~=========
Z- ^6 I6 u( k7 r2 E1 t) y1 }4 A! I1 O V8 |
This method is most known as 'MeltICE' because it has been freely distributed% ^: r" M* N6 I. W5 q1 b0 Y
via www.winfiles.com. However it was first used by NuMega people to allow
( L; J' A) l% o. y2 D' }! USymbol Loader to check if SoftICE was active or not (the code is located
B" ?+ `, n- Q) f- }5 _1 P! sinside nmtrans.dll).
0 L3 c" s0 l5 l
7 {- u+ `+ Y' BThe way it works is very simple:
! {9 X; s |, B7 m G0 u7 W& vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. b8 O0 N8 {" J& T* K6 j# O1 n
WinNT) with the CreateFileA API." {$ I: O% l; {9 T1 E0 G) M
* f4 F" G0 \, @Here is a sample (checking for 'SICE'):
; k: |1 M- P- L2 R. \! v+ l8 U2 s5 F W% ?$ P4 e* ?% B9 U4 b
BOOL IsSoftIce95Loaded()
; j% `! G: R) K. e9 U% _{$ ^+ f+ O/ I4 Y- T
HANDLE hFile;
, E; f) o; L) M3 S6 H* T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, M0 @& c$ D5 E# M FILE_SHARE_READ | FILE_SHARE_WRITE,
& K y, Z! o1 ^: N6 i" C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, H! n0 w5 N8 v+ K2 ]- o2 R
if( hFile != INVALID_HANDLE_VALUE )( |% K; c3 P6 K# W, L. @
{
$ \- C ]" j; T" a7 [/ t CloseHandle(hFile);
3 L/ `& t4 A8 p return TRUE;) ?! i! P, N! ?! w K* v6 ^- y
}
! x- {) Y# I# s2 X7 N return FALSE;5 Y" w9 E1 r1 S" F$ |( t4 m
}
! f! f# `% \( } }) w, y7 O3 f h$ @8 k+ G! O4 A( z
Although this trick calls the CreateFileA function, don't even expect to be
$ W [$ t) _" ^2 N. a/ S( kable to intercept it by installing a IFS hook: it will not work, no way!
5 N* w" ]( s p/ T# I5 i3 ?# UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, y% {5 w4 J0 o$ A eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 b0 C8 m% o V+ V3 S9 p% J" u2 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 e! ~6 M+ F. c1 m+ {
field.8 C5 l5 L }8 R1 w' z
In fact, its purpose is not to load/unload VxDs but only to send a
/ E/ q: b+ |( J2 w7 P) _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). U* N) i' K! M5 T" W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 _$ T" I" \% N" ]3 G" }- `) R* p
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* ]* P3 T, b+ i$ K$ ]0 H) A; |If the VxD is loaded, it will always clear eax and the Carry flag to allow
- H0 I9 b) @- G) hits handle to be opened and then, will be detected.
2 Y6 A( h2 _1 z( L6 u' H. PYou can check that simply by hooking Winice.exe control proc entry point5 Y3 P" o }1 y% ~5 j0 k, V% e
while running MeltICE.
0 \: \$ @! A" L" j: w' {: {/ E0 A5 d. K' [$ w1 Q
. q+ u, {: D, s0 ?+ N; _2 R7 E 00401067: push 00402025 ; \\.\SICE
7 Z" p5 u) Z& L; ~8 r% x% a, a 0040106C: call CreateFileA; g! }0 ]# ^4 b
00401071: cmp eax,-001. a8 _" `. s: K4 Y. l
00401074: je 004010912 J! [# j: m1 M) |/ c2 D
2 d. E) p* s0 L1 B! F, R* q! X
, W5 w4 c# @6 p$ N0 [/ A* SThere could be hundreds of BPX you could use to detect this trick.! c6 `/ {# {6 @4 E1 w
-The most classical one is:
; [# l* L1 H6 o g3 D. m/ p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 g9 p# `8 j3 o1 n" T *(esp->4+4)=='NTIC'
& }+ h) J( K/ n# @% i; ~) p) H1 L8 {2 m4 C9 s0 K- s
-The most exotic ones (could be very slooooow :-(/ V! W, L7 q) S! N: x, h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! x6 I0 V4 N7 j' E/ f
;will break 3 times :-(
( m& {0 x6 T: b* k, q; C5 \7 X
$ t$ s! ^' f3 }2 Z# O-or (a bit) faster: % M, T0 E3 i( @' j0 U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" b& e; T1 U o- I, A+ w
" l7 w- k9 a7 Q3 y# n+ k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 a9 _& V& u9 z) P( j6 I
;will break 3 times :-(
0 V; M& R' R( f' u0 L- H0 I# N1 U5 C7 y) f7 u) ~
-Much faster:
y* I; X6 [% {0 w5 F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 Y6 t H; C& n% J4 I- w1 q2 D& c% f* e% w4 p2 S% t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, ^( P& ]: Z6 r) V- @function to do the same job:$ f; a" P. x) e H; c" W* Z
* X8 i0 _; V t! ~2 e
push 00 ; OF_READ) q* r6 t4 g& n/ J
mov eax,[00656634] ; '\\.\SICE',0; b6 h! m. X2 d8 P1 h
push eax
, I2 r& b" `; W. `9 C* Y call KERNEL32!_lopen
- w. K* v. f }* R5 w) A inc eax! X% B% X+ V; E
jnz 00650589 ; detected
- W9 P. I. q5 ` push 00 ; OF_READ; r5 V+ Q' e' V3 }
mov eax,[00656638] ; '\\.\SICE'
+ q4 g! U! `1 X5 L+ a. Q6 v push eax- n+ L, m: b6 v8 I
call KERNEL32!_lopen
) A. t7 {; [; O# Q inc eax6 D7 B6 K' r+ h
jz 006505ae ; not detected
/ Y# d8 N. @# \6 R4 j$ c0 i' v+ i" p; A
. L+ u2 ?) {$ P& R+ [- t+ x__________________________________________________________________________; b: ~; Z) l. b9 a p5 T
( ^# z2 R K+ t: S
Method 12
, i' G. o! z& [! T8 }8 r: @=========
: F3 P% a2 N- j$ K+ R0 e" o
6 N3 ?# H& N' @This trick is similar to int41h/4fh Debugger installation check (code 05
$ ?7 m$ i W& j% f; G' M& 06) but very limited because it's only available for Win95/98 (not NT)
1 g/ o6 E! U/ o* N6 Z% d: K4 Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 o3 ~4 B5 T& _4 f" ^7 }! M% {3 W1 E' h& ?; R: [
push 0000004fh ; function 4fh5 w! x, q& M m/ x1 ]
push 002a002ah ; high word specifies which VxD (VWIN32)! M4 S# s) u, \, u+ b
; low word specifies which service0 X- s1 J1 L2 N5 d8 O9 \
(VWIN32_Int41Dispatch)
) J+ W, ~, q1 [ call Kernel32!ORD_001 ; VxdCall4 T1 G5 X7 r% l: T7 w
cmp ax, 0f386h ; magic number returned by system debuggers- o( Q% f" ^) [
jz SoftICE_detected# s' ~( q/ f/ |8 ]+ C9 r
) k! \2 y, u3 m- p4 }Here again, several ways to detect it:6 U; y5 c, T1 m8 v$ W2 Z
+ s! N& p$ e7 H6 M; G: C o BPINT 41 if ax==4f0 k0 A0 p: o! g( Z( ~+ v
& b2 T* x- h8 x C5 L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% w* X, C9 h' Y% ?3 A
3 H# b' A: d) u9 x4 A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ T) s, z6 v# l' u
' S( R. M) Z! S/ I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 T' j4 ]2 y) S* d% z3 K- _9 B
7 u3 B, h) a+ g: B+ _" S* q( o2 G! u" ?__________________________________________________________________________
8 [3 T# K+ d+ P4 a. x: r. Q9 p; s: o4 l+ R& O2 p' j/ L
Method 13
/ p7 f6 U! }4 C5 L=========
) `3 y# Z) t+ o: F
" L/ K3 |6 A) i* k9 gNot a real method of detection, but a good way to know if SoftICE is$ p0 X+ \3 Y7 X ]
installed on a computer and to locate its installation directory.9 l6 W" F F/ G) E9 B0 }
It is used by few softs which access the following registry keys (usually #2) :
# `$ X W+ q! s; k. W- |" I- ?+ }3 X7 `" R& {5 S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" X2 g% F8 G5 `9 X: N: p
\Uninstall\SoftICE
" N% s. Z$ O: Y; U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! K- s* q0 M7 T1 n8 u9 k. s2 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# {8 \2 J) i. }& B* E; Y& z
\App Paths\Loader32.Exe
% W3 T' r% H" e) L! R8 u" v- e" A1 h0 V J, \
& v/ N$ p+ D! b# n. e4 MNote that some nasty apps could then erase all files from SoftICE directory
. |% V( F; B5 c* G(I faced that once :-(+ g( E. V' f% ~" |! q' R
2 L% h. {$ j. B0 e+ @Useful breakpoint to detect it:5 ]6 L J+ u& `+ p( v
2 r4 @) ~1 e& t BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. a- \# F J# V; f4 c9 W
2 C' o" f; V3 t/ g H__________________________________________________________________________+ z3 F3 s3 C1 S
# p( Y2 W* S6 ~; f" W/ C3 L2 p/ y; L- M: X/ X
Method 14 2 \/ g. O; s5 n0 ^5 H
=========% h# n# ^& v: p% t2 ^
) H, V$ e6 y6 I9 [( I/ ~& \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& @+ z R3 [3 q( g! q9 k5 ~is to determines whether a debugger is running on your system (ring0 only).
: F* @4 @% S9 ^. V- h' s) P, B- a3 @: u2 b
VMMCall Test_Debug_Installed
E6 Z1 {9 ?* L# }# d$ u" m) _; s! _ je not_installed
9 I a# v. R9 \0 e& O2 I( D8 q. a0 m2 f; V' }# |; S9 N
This service just checks a flag.; h2 a x9 g5 J' m. ]" H% R
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡