<TABLE width=500>
$ J1 o$ s- ], H5 p7 n<TBODY>
. {; C2 A0 Q% W) z* G$ t; L& O<TR>
2 P, ]. L$ \- E% {<TD><PRE>Method 01 ! `2 T1 y: [ w0 s: c; v& M
=========
( D4 E/ o: V" x$ b# k+ f: |8 V1 j5 W8 p& t2 z( j* N" M3 N1 |3 s
This method of detection of SoftICE (as well as the following one) is! ^5 @% @8 V& y% ?
used by the majority of packers/encryptors found on Internet.
( m! v8 o+ q# z# g9 TIt seeks the signature of BoundsChecker in SoftICE u6 L3 g4 c0 C& \& T
& l& z# p+ { v4 w
mov ebp, 04243484Bh ; 'BCHK'
9 a1 l* w9 A/ l) r2 {7 G. [* E mov ax, 04h
% E! ^3 S% {' J0 m' P int 3 6 b/ [3 b: g: G. h
cmp al,4
! }( x7 }. f6 q, ?1 \2 }7 D1 ` jnz SoftICE_Detected$ s) U; y, [* h5 ^& M
6 G/ W0 l0 k) }5 L2 c. y B% t
___________________________________________________________________________% J5 ?- u/ T6 v; g1 b
' G1 ]9 y& e# p% Q
Method 02
4 \9 b& f. G2 W9 k========= G/ o" D% Z# l
* J3 v( z) }6 h- w+ y: @9 M- J1 C; PStill a method very much used (perhaps the most frequent one). It is used
$ k% X) q+ {7 a3 }" yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" N' b) K* N$ j8 |# s' p# Qor execute SoftICE commands...
" P7 ]* h3 k: _( O7 xIt is also used to crash SoftICE and to force it to execute any commands" ~' R4 b, J/ Z; `! c) u
(HBOOT...) :-(( - ^5 i( g: @9 B# a& D$ L4 X
1 V& i( W* O5 D! h' E2 fHere is a quick description:
/ k2 N5 E6 t; W; {1 t3 O+ Y-AX = 0910h (Display string in SIce windows)
/ e2 j# }3 ^5 a9 `" a4 i5 w-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ }( c3 W7 F9 a; X, N. ^4 |+ q, E8 T-AX = 0912h (Get breakpoint infos)- u- `6 o- o9 V# a1 h
-AX = 0913h (Set Sice breakpoints)7 x& r8 g. H: z* a5 P
-AX = 0914h (Remove SIce breakoints)
6 l7 R5 e2 B5 s1 A5 T/ _/ O) u/ n. j6 }2 S# ^6 v5 @% W
Each time you'll meet this trick, you'll see:' X+ y6 q8 P7 n2 Q H
-SI = 4647h
7 Y5 X; K+ ~! \$ p: R# _8 W1 V( {-DI = 4A4Dh
! Y* [$ v0 s, \2 K+ @Which are the 'magic values' used by SoftIce.& Q4 W, T8 M: ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 F4 X; K' i( i4 c% n" a# z4 P+ c+ w% V. ~* N& d1 {
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 q0 N O" \3 w3 A
Envelope utility use to protect DOS applications:
7 _% `9 h- V- c1 T4 \8 g# T' q# N, C6 w& C& @2 X
2 V! E6 r% P% m7 M2 h5 h$ H( _3 p3 T
4C19:0095 MOV AX,0911 ; execute command.5 h9 p; O, P- o- n! W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. M# y1 Z7 P6 X1 t# k4C19:009A MOV SI,4647 ; 1st magic value.% I$ p6 q% K! E3 e! u8 [9 v
4C19:009D MOV DI,4A4D ; 2nd magic value.5 P- {; L* [" O- H+ C0 {6 @# L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 m" V1 a; m1 Q" ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, @% M$ T) ]: F
4C19:00A4 INC CX, p! u" q6 A( [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. w+ g' R/ F5 ~$ ?5 r5 z4C19:00A8 JB 0095 ; 6 different commands.
0 q! ?# I' h8 J' G+ N4C19:00AA JMP 0002 ; Bad_Guy jmp back. ^! y+ d7 t3 K3 d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 v" D% W$ k) F" l6 T5 b: {5 X2 c! R) q+ h
The program will execute 6 different SIce commands located at ds:dx, which# t% S1 k; `! j# ?& l# S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 [1 }( k! w* L+ ?/ T1 K+ Y- q; F' W, ]& x/ E( N M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' g$ r: B. \( ~___________________________________________________________________________$ p( R& J! x; [1 X5 P6 v3 `7 A/ q
$ l: u4 m! C6 X4 l$ S
6 D$ v/ E b6 d# P. a- J7 M0 pMethod 03
3 V* q) ~) Q4 k, G! K=========
$ d$ @7 a6 G$ U0 O2 z4 a# d1 a0 \, N3 t3 p7 ?9 _* N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; o0 R# I) A3 ?9 E0 i$ g% q/ J3 r(API Get entry point)2 P& Q: Q0 |7 c$ s/ L: [' q- ]* F) `
( k7 O- p# A( `0 c0 A6 G7 n% x" r& b [
xor di,di1 j: g* k: ~% m9 y3 E: f
mov es,di
0 z" T( ~6 f/ {6 h$ N- x: N! f mov ax, 1684h ) k( z5 y4 A4 g! H6 N) } R' Q! g
mov bx, 0202h ; VxD ID of winice! N2 E6 G) r8 U6 ^7 T
int 2Fh. _ M3 {* e$ }, z- G
mov ax, es ; ES:DI -> VxD API entry point
+ Y ?5 ^3 x p" A* U add ax, di
9 u0 _' U" d; B# e& c test ax,ax
7 h1 \7 v; Z$ X) T! O jnz SoftICE_Detected
5 m2 v9 b/ v( ]& j4 B- U5 Y4 B
& U' L) p4 S( J, O- g3 i- x___________________________________________________________________________
4 Z, R9 m3 ]6 m0 ]- [' t% T2 u" F; H1 l4 W" f8 \( I9 ^, D
Method 04* j5 O/ a9 b1 ~' G
=========
/ P/ ~ C6 d6 I4 a2 L
8 s- B4 R8 T8 XMethod identical to the preceding one except that it seeks the ID of SoftICE
8 Q# A, T4 s0 X6 F' b5 N9 D, t/ f5 zGFX VxD.. `; Y/ h5 s3 [/ h
7 T* }, [ c: h# V) B
xor di,di
8 D4 o- e+ H4 R4 M v9 f- R5 e mov es,di
8 i. D& A* f9 F. l! P/ ^ mov ax, 1684h
% s' w6 a, m# ]+ E( G. [7 L mov bx, 7a5Fh ; VxD ID of SIWVID8 v8 R' J t; _7 q5 @. u
int 2fh3 T, H- ^; U! d( D. D' o
mov ax, es ; ES:DI -> VxD API entry point3 o K5 G3 w/ k6 N2 D1 I
add ax, di! f4 t7 ?; a8 n- h5 w5 Z
test ax,ax4 \3 d R8 V7 B6 t/ \2 K+ |& x
jnz SoftICE_Detected
- f" I1 E) A# p. _; X/ S+ m3 s. ]) a4 c# @
__________________________________________________________________________
+ i) G( j I2 D3 N2 E! C7 @4 @, K
- [/ v% y* {- y' C( @( U+ M& J& x
Method 05
0 |# M! R8 N8 C8 E, l1 `=========# _& i& S, Q) [5 X" O6 `0 h
1 l& _' q5 Z) M' C( o1 S1 Q/ y
Method seeking the 'magic number' 0F386h returned (in ax) by all system; w) ?) K z! L1 C, t3 j. V8 ~) j
debugger. It calls the int 41h, function 4Fh.! R% B: o# A u5 b- m4 E8 V
There are several alternatives.
4 I/ A* A# |& N
6 Z. v1 t5 f7 O) G! \The following one is the simplest:
& P( g9 W/ @2 d8 K7 [; d, L" m: E/ `; ]4 v6 u
mov ax,4fh
4 R! M9 D; i9 E, m) ~ q6 h* ` int 41h9 C$ X' ]# u& \, N, Z
cmp ax, 0F386" ?* ^0 j& W. T) M# y3 [
jz SoftICE_detected
% K# j/ S5 s# i( t
) ~2 D- O/ z: O6 ~* M, O; {6 Z
9 s- l2 g$ z0 E4 k' Y2 kNext method as well as the following one are 2 examples from Stone's
5 l5 H8 r" b8 l" W$ F* x4 x# T2 X"stn-wid.zip" (www.cracking.net):$ c# e+ Q5 C& Y" Y7 W
+ q& D4 s& n+ t, T* F7 i9 Y* u mov bx, cs# V! N& Y, W1 |0 j* Z! G
lea dx, int41handler2
8 c* m# u. B2 C3 {. q( c xchg dx, es:[41h*4]8 U1 H4 J% d( R- j6 H$ b
xchg bx, es:[41h*4+2]/ b$ f3 m% B8 W1 |5 r
mov ax,4fh' j0 e* |# ~/ D, W, W$ h6 a
int 41h& ?! H( `' C% z. `
xchg dx, es:[41h*4]: }: S2 x: n6 c: ]$ N; ~
xchg bx, es:[41h*4+2]
4 i" g6 |0 C8 P8 U8 A7 ~7 q cmp ax, 0f386h
) n" M& a, O4 p* r. U% a jz SoftICE_detected/ {; ?) X2 w( X" S8 e
8 v2 r) v5 Z6 a3 p- S9 pint41handler2 PROC. q6 T9 h/ i% D- w- J: N/ l
iret5 Q/ x8 w: b+ P8 b3 ?
int41handler2 ENDP. q9 K, A4 ^+ ^3 a! H2 q* S& Y
: ?' U" i& y! J/ Q2 P( A2 Q' ?" ?, d9 y
_________________________________________________________________________
! s" D) w% }3 w" o% r2 B+ R6 ^/ Y; n8 a% r
2 c5 F( l" a7 ]* _
Method 06
w w/ p6 g4 [; D( z2 g8 I% B=========
* R3 v5 P" V" {6 e8 A# c6 K9 G
3 ?7 }& }& `$ F+ C! C! c
, R: ?: X) n* e) i( E( K2nd method similar to the preceding one but more difficult to detect:0 \2 i7 L- A n9 U+ o4 N& e
# n7 d& d- t* N; ]7 Q) M/ d# m
; M5 c3 p5 @6 A2 o9 Rint41handler PROC* V# j+ @+ q3 ?, _' _0 R
mov cl,al6 H: J4 R9 d: l) J
iret% L( ]) b6 g7 I4 I. Q1 f
int41handler ENDP
" ^, h; _& z# J; |/ m$ B* W. m. }' U, J/ j+ R! E$ ]
9 n: L. r4 L+ _/ r
xor ax,ax* g2 J/ R3 G9 [; Q+ W6 T. ?; a. f
mov es,ax
+ u7 Z2 _8 v0 w, b- {9 U- X7 C mov bx, cs( E- A" g8 ?- V
lea dx, int41handler8 A; R) H7 u4 R! \/ n. E2 C
xchg dx, es:[41h*4]" G5 n# [ X' @( f; W6 v
xchg bx, es:[41h*4+2]
4 E, p: Z0 E$ c2 p: Q in al, 40h
. w! O! Y. V. n' F3 X Z; p( y# ] xor cx,cx
9 A, d. ?% Y6 s, C/ ` int 41h1 ]8 l8 |- A* u V: T9 p9 D
xchg dx, es:[41h*4]& x+ r+ S( P8 j+ a2 R6 x
xchg bx, es:[41h*4+2]. J' o f- V0 ?: \4 V1 E( L; j
cmp cl,al
# A* w8 y; O$ B. E9 ^ jnz SoftICE_detected
5 @6 j9 }( P/ C* x; E/ v5 R+ E; [" ]- x( Q
_________________________________________________________________________; I. I! D1 r6 m4 A! A
9 p; D3 s+ D, _1 `+ ]6 {Method 07) e0 o; n6 T" ~ D
=========
; G7 v& G& K2 R4 @% ?
% C: r8 g% C9 l" j- {" KMethod of detection of the WinICE handler in the int68h (V86). n- \7 A* H# R
* _$ X2 f, G$ |: i" q3 i mov ah,43h4 I1 u2 M6 Y& c( O& w
int 68h# G) q7 j( u' b; T& @" y
cmp ax,0F386h
1 y' Y% R4 j8 W8 g jz SoftICE_Detected
; R. P) ?" m6 l$ |2 c) s* v
' U' v* M3 T$ ?' f% p9 U$ _/ E( u) ?! `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) c1 k9 u9 H8 d- X" a app like this:
; u, D2 {* o) }& Z
) l1 j4 K9 ?$ C& u w5 ?2 [# u BPX exec_int if ax==68
# Z/ g4 q+ u5 V/ ]: X U (function called is located at byte ptr [ebp+1Dh] and client eip is
/ u. o! d! G4 ~: {% ` located at [ebp+48h] for 32Bit apps)
) v* m6 p! j" R2 E1 F2 I__________________________________________________________________________+ q9 p# d) g m0 h
) |/ ], T' z6 Q6 Z+ {
% b" u# r/ V$ ~4 @; t! s3 LMethod 088 | n4 C" j& u7 w
=========
9 n9 c, t( m& k( W: c8 G4 Z4 S# q! b3 q" O
It is not a method of detection of SoftICE but a possibility to crash the. }; X4 K5 r5 c) r0 W; b8 ]
system by intercepting int 01h and int 03h and redirecting them to another" B- @, `* J% `6 X+ Z: T
routine.
* M( B! Y- W. Q/ KIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ I! [5 V1 a/ y+ b; K0 \0 n& T( _
to the new routine to execute (hangs computer...)* P+ r: Q5 Q9 T. W* i
0 w. M/ ^1 p7 h
mov ah, 25h9 m3 a5 ]5 o$ x9 D+ r; o4 h
mov al, Int_Number (01h or 03h)
$ B% h# @" V/ N mov dx, offset New_Int_Routine
* ~ U! O% z# w" v/ o int 21h
1 H- j0 }% O. y* B @7 y+ ^7 E5 k! ]9 M: e# o4 l& B* i
__________________________________________________________________________
6 L6 M# x* L! X# D/ Q+ C7 R3 ?7 F: T9 k' h3 m- M" T2 A: l m4 z1 Q
Method 09: k8 s3 B3 p: ~- y" B9 U) u8 {( n6 m4 A x
=========
3 d8 i$ N/ Q; h$ }. Y# ~1 p0 G7 i/ a9 ? U3 ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 e) V2 o" T! c) U7 n- P; ]
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 v: T/ F5 ^1 N: OThe Get_DDB service is used to determine whether or not a VxD is installed
% T, u" x% F# w' E: Nfor the specified device and returns a Device Description Block (in ecx) for
- E1 ]: X' D4 H S: Uthat device if it is installed.4 t# R8 E [2 m% j% @1 M$ n5 n
5 L- f6 @' r2 Q% x# ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% O& Q/ _8 Y# B' a7 f) r, C: g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: T6 v2 W: T( ] VMMCall Get_DDB9 G% s' `/ | o( n8 b0 z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 j) ~3 a9 d% J& z" G' u! e
- F+ \: n- c' X, t. l9 dNote as well that you can easily detect this method with SoftICE:) U" S% V) a! d0 o0 @2 }% V7 D
bpx Get_DDB if ax==0202 || ax==7a5fh
0 B7 r( s% L& C$ L
$ ^9 B0 u" G' u. @__________________________________________________________________________
% I& K' |! L+ [4 n @% [( Q; b, I
& D, Q/ n |1 B$ s! L* \Method 10
, \! ~! \) C3 K=========
0 [4 B+ Y) d" S* G) D
9 V2 p6 I* Q1 S u4 M=>Disable or clear breakpoints before using this feature. DO NOT trace with% |, Q5 g4 a7 a" Q2 j, d" l! R4 O
SoftICE while the option is enable!!
0 N7 ]' z/ C) o6 p( [# s
1 l' {4 `+ e' \# O7 u" r Z1 FThis trick is very efficient:5 q3 K8 h' ^1 B+ P4 e2 \, @
by checking the Debug Registers, you can detect if SoftICE is loaded
; ^! Q/ G5 C% R& Y; o( v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% n$ B; p- e3 v' z1 f% Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ v) Q. n @+ S" C! h7 bvalue (in ring0 only). Values can be manipulated and or changed as well
/ i0 T9 p' z( O/ Q(clearing BPMs for instance)) C) K* {9 M# g6 D8 y4 f
" e4 _7 L; f* v, T! W__________________________________________________________________________) t% \; b: M8 I' `
) I0 A6 e1 |0 I, aMethod 11" c* L$ k9 ^5 X) G1 I
=========8 b4 ?/ m b% Q( E. T# H6 [0 M
' x2 I, K; _. ?This method is most known as 'MeltICE' because it has been freely distributed
% ^6 R8 H9 R3 r, f+ cvia www.winfiles.com. However it was first used by NuMega people to allow
& E4 {0 m) q' ASymbol Loader to check if SoftICE was active or not (the code is located' u% R: o: ?' ^: q: f7 A+ {- \5 o
inside nmtrans.dll).
1 `! E" X0 M& o/ {
. U2 \" r' A) }The way it works is very simple:1 k- z+ m5 U1 |$ }% O6 t- H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 C( B: X% ~: W& L- L: N" nWinNT) with the CreateFileA API.
8 D1 W' Z% a# {! [1 J
9 Z \0 V" B* d0 ]3 WHere is a sample (checking for 'SICE'):! N, y* E4 {7 D W9 |. m, M
5 R% q, ? r# ^- _' kBOOL IsSoftIce95Loaded()
% m; Z) i% V) q{$ j3 u$ h4 v8 U
HANDLE hFile; , u0 g* Y# W) a7 v( f$ c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 @; {# p, |" o8 ~! `: } FILE_SHARE_READ | FILE_SHARE_WRITE,
3 |. Y' g( P2 O4 G0 a& d5 k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 b/ [6 I2 k: X. B) K7 V } if( hFile != INVALID_HANDLE_VALUE )
3 P1 P" _- n# y7 |3 D# F {
$ Q0 l( M/ q1 H, S CloseHandle(hFile);
9 Y/ ^1 J$ X8 B t3 O# d) v* e! A return TRUE;
$ T4 |+ B- A0 N; n* J }
7 C \* `) p! s) `% z2 y7 e) V return FALSE;0 N+ c0 ?5 U/ r0 x5 o2 U7 h
}
, T0 u1 S4 e. d
6 l6 M! V5 \) e. }' g" h) g4 eAlthough this trick calls the CreateFileA function, don't even expect to be, O: z7 e& V* ?6 f; X7 v4 {2 J- w
able to intercept it by installing a IFS hook: it will not work, no way!1 i% `" }* U1 O, z: @# q5 k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 L+ ?# a; c; @2 h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, o, y& R. u1 y1 n% ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* e, Y- L- K8 s' e+ e' ifield.
/ d7 P4 z! E" G/ |7 O) y |In fact, its purpose is not to load/unload VxDs but only to send a 2 s. N: U5 U6 H% I1 k0 p5 s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): j9 E1 K# j& V8 P( ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, b) q+ m5 P7 ~* s7 p
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; v8 ^4 \8 [( U- Y3 m! z+ J8 @If the VxD is loaded, it will always clear eax and the Carry flag to allow
. f6 g# e5 W1 R3 {! w8 f) kits handle to be opened and then, will be detected.
* z0 S9 J% Y$ V0 C0 }You can check that simply by hooking Winice.exe control proc entry point$ K+ j+ F+ s$ D3 ?9 Y* ]
while running MeltICE.
' y1 l \, y' g' @. p# b# e4 C
0 x( _; W/ B& J" F5 u* B* Y! ?6 K
1 R' u" X- o- T7 w0 d# `# ] 00401067: push 00402025 ; \\.\SICE+ Q* _1 c) r3 f ~% `0 _
0040106C: call CreateFileA0 c0 t N& X; l W7 A; c4 j
00401071: cmp eax,-0013 T: V6 P- s# r5 ?1 E
00401074: je 00401091
( Z( O" h. m# X% m4 p: f0 b, b. @2 ]9 n! V1 |) Y
( i) y/ Q' ~0 ?$ H
There could be hundreds of BPX you could use to detect this trick.
! C& T: j* w: c0 S" N# o9 q-The most classical one is:/ Z- j3 d& w& T% I/ D: N1 s, h/ Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 Z' x) G$ j3 d4 l' c" c
*(esp->4+4)=='NTIC'9 H# Y6 |8 K0 w& _' V- Z% W3 W
* x. H& |# ~' W) ?3 `6 x& Z4 m-The most exotic ones (could be very slooooow :-(% U1 c0 O% M: q$ e8 i" ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / W5 L# a. J$ I( v2 \! p- B9 x
;will break 3 times :-(2 p6 T0 V7 y- ]3 Y
# m. v7 q4 j$ c6 L i% @
-or (a bit) faster:
9 K& k4 b; z% {; J: \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 }$ h4 a, T* D9 w/ W+ z+ f- {9 O6 j1 S9 {9 B$ H/ k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- ?3 W9 Y0 r: t8 @5 C, j# b. O ;will break 3 times :-(" Q1 c) V2 Q! }; z) B1 T0 w
/ c+ r1 ?& A6 Y1 y) v" B2 X
-Much faster:. S$ }- K0 G, I; T l' \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) p( a8 ?; }* F6 x3 ~/ t* r! O z& {3 i3 p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 f4 V1 n3 |" dfunction to do the same job:
9 B' A" S; ^& f2 e3 S) ]1 p, R( X
/ Y* i/ K9 _5 X, y push 00 ; OF_READ
. q; _( `# A/ X6 m: U3 E6 H% Y( F- M mov eax,[00656634] ; '\\.\SICE',06 w6 B" t1 p; o/ g- I% s. n$ C3 [0 E- G
push eax
5 Y: d Y& l" p call KERNEL32!_lopen
+ X* f+ U: _ f" H9 \ inc eax
% \4 N8 p5 S: g$ t+ z jnz 00650589 ; detected
3 ]& E, o' n4 K, o push 00 ; OF_READ
) h5 q, m: k. F9 B6 x/ d mov eax,[00656638] ; '\\.\SICE'; T2 ^: K) L6 ~& B
push eax' p: r2 r. ~8 }1 G5 q6 |
call KERNEL32!_lopen
: c! I$ c" G+ J+ E0 w5 T inc eax
/ X6 t, R& N; b! g jz 006505ae ; not detected
0 n% U% x8 B- q! r
7 O! x: M8 U5 O! A# r! p* I/ d2 h# M `! d; Y
__________________________________________________________________________4 P" n U; m( w* X
# @0 N/ M0 U5 k% Q( h/ n8 z. _
Method 12
% X% S3 V1 k; L8 J) F# n' O1 o( z=========
' [1 i0 W ?" D
0 q% W' m+ B; u% U+ PThis trick is similar to int41h/4fh Debugger installation check (code 05( ?) A9 e( l2 Q, j: j
& 06) but very limited because it's only available for Win95/98 (not NT)/ a7 [+ e& X6 _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ @+ [: c/ _0 P2 }; P
* f+ A+ r# [- t. s( J push 0000004fh ; function 4fh# L( Z1 j! S Z/ c4 X7 s
push 002a002ah ; high word specifies which VxD (VWIN32)
$ v4 l: ~& ]/ s, @2 Z7 n ; low word specifies which service! s5 n0 \ e& Q1 _) g+ e
(VWIN32_Int41Dispatch)- u4 \2 ^1 W' p$ \) ?- g5 u
call Kernel32!ORD_001 ; VxdCall
1 U6 m" B) \' O cmp ax, 0f386h ; magic number returned by system debuggers
& B7 h* f N) c- L/ C: I jz SoftICE_detected
4 ~# G" y& A$ S- ?2 M, R, K" G0 e0 F- w1 |
Here again, several ways to detect it:* w2 z9 j% ?7 m& x7 R/ P
% I/ w9 a( L. X% b
BPINT 41 if ax==4f
! o$ J0 w5 K+ D: M+ `. A5 |$ U- P
* S0 L7 l) m' E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 O2 ]& z" b; w! y4 w& M! y
8 `8 t8 i8 @- d1 ~* I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# E) ^' E/ f" U2 p: V
6 i5 P+ r% Q/ I' [! J: O9 ~; y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' T1 J2 I: h/ u! d9 Q4 Q5 |+ d' I* q9 G4 u& u4 H1 B
__________________________________________________________________________" H( ]! R3 M! f* `/ M( R9 d; R
7 N& @. k% B5 ]0 w9 G0 PMethod 13* ], H& D" ~% X# N; H2 D
=========
- X8 s# e1 u4 Z) @+ }. S5 f! G" `! U# S8 [
Not a real method of detection, but a good way to know if SoftICE is& g8 D6 ^3 q% b8 W) G& P
installed on a computer and to locate its installation directory.
0 y: ]0 R+ Q; p8 E r9 OIt is used by few softs which access the following registry keys (usually #2) :
4 u; Z( R; ]: g1 k7 c2 T# m1 X$ v( F3 k; N6 l9 n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 m2 D+ v' w6 d8 o$ F\Uninstall\SoftICE6 W8 @( l' \, V/ K5 e2 o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) F: n0 u& @6 I9 Q$ @( H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( C3 ?# }; E& O8 b
\App Paths\Loader32.Exe" ?) _$ m p; O7 c8 `; ]' Y: c# j
% G1 @' I9 l: O& ]" d- d
3 J& [# d5 ]0 [9 u: ~0 hNote that some nasty apps could then erase all files from SoftICE directory
5 ^# a) E' F' j. ~ Y2 Z1 O3 h(I faced that once :-(
7 H0 d1 R+ D+ \' D
1 ~7 r% K m8 s3 s+ DUseful breakpoint to detect it:
% l; |9 z7 w' K# R3 p' L/ d4 ]
7 b6 Z5 P& f9 h8 G; `2 o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 i1 c' C4 n4 Z/ E
9 n, O O. ], b" e9 ^
__________________________________________________________________________ u9 f6 x, |5 l1 e# w, R
K1 G- r, T9 B6 f! Z* u; P# { [, C* q- a% y
Method 14
3 U, b% W7 D) l" }=========
. ~& q! E5 i6 O0 y* `( L v1 P8 x$ W% h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 F% Z4 v6 o/ o. s9 z# B2 r( w4 x: i6 X0 uis to determines whether a debugger is running on your system (ring0 only).
5 E: h0 N$ J* \: _8 r; [0 `) L1 M# _* b& O4 P/ k
VMMCall Test_Debug_Installed
1 Z# E' X+ N+ G" O1 U je not_installed
* r6 X0 c( S3 p$ f7 x7 o# y
" d" @# c3 F" f/ }: }This service just checks a flag.
5 R( E4 S3 V3 v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡