<TABLE width=500>: U$ u+ n# t! H( w3 `4 s
<TBODY>& }) k9 @* L4 |# ~$ ?2 W
<TR>0 F6 \0 X5 d* w$ P3 T+ u
<TD><PRE>Method 01 # m1 F, v# I' {5 m
=========* w S9 b3 G2 b% L" \% K9 c/ D
! I( C' A4 ?( B0 k- {8 L" g
This method of detection of SoftICE (as well as the following one) is
7 A- G# _2 |; b( ?. O* o1 Aused by the majority of packers/encryptors found on Internet.+ Y% s, {) E8 l9 Q# h& A
It seeks the signature of BoundsChecker in SoftICE
2 L' O; N: F8 K5 I% a& U3 r3 O! S
7 n+ `: }2 A; I7 g/ R! h) V2 q% _ mov ebp, 04243484Bh ; 'BCHK'
9 O0 J; t, @9 v mov ax, 04h
5 G, Y h" J" e3 E3 `9 t int 3
. K+ i, J6 \9 x& Z6 u. Y4 s cmp al,4! p) n9 {1 [ K5 a9 H
jnz SoftICE_Detected
( ~8 X: A6 R! L: D4 G/ d
$ a! N9 ]7 R+ O4 w1 R; u! }. q___________________________________________________________________________
. g% N! D7 G8 W8 w' x/ T$ v
& U& q6 H. d2 v; s. g; K$ mMethod 020 t A0 A8 s& L( J% a% H U
=========
' j, A3 U: w" p4 i- {) D( v& O
Still a method very much used (perhaps the most frequent one). It is used. c9 @9 N* q) j V3 l- m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, J2 A% v" X% W1 G& lor execute SoftICE commands...% c6 f+ x6 t' M
It is also used to crash SoftICE and to force it to execute any commands0 I8 T4 C) M( C& l3 p7 K( i( b
(HBOOT...) :-(( 8 \/ J' _' L1 g2 u# s- i) _
/ G. n7 w! g) [7 X( Y2 D
Here is a quick description:: z/ D* \ t7 U2 B5 q/ N, [4 g ~
-AX = 0910h (Display string in SIce windows)
6 o& x1 H+ I9 s: D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 s+ C* M6 R5 g-AX = 0912h (Get breakpoint infos)
2 a/ Y# X2 _) o+ z-AX = 0913h (Set Sice breakpoints)! \2 {0 p4 V2 E: o+ y* c2 \0 k
-AX = 0914h (Remove SIce breakoints)2 I9 i$ d2 `1 U: w; `' I5 ]$ c* B, }
X; f' M x% ]4 Z; r" a, xEach time you'll meet this trick, you'll see:6 ^0 Y2 ^6 p ~7 E' d
-SI = 4647h
1 _( X# W# Y1 j) c& W( W-DI = 4A4Dh
1 x* K3 U3 X! Q; D9 H$ r1 _Which are the 'magic values' used by SoftIce.. U) O5 z8 O0 U) Z( p# U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 G% Q% L) x- o2 [' h* m2 w+ z% L0 o. N1 _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ m0 A1 l2 A5 l( A/ ?8 s6 z- `Envelope utility use to protect DOS applications:$ U% P% Q2 U& f
- D1 `( V" I4 j# `3 ^
4 Z3 R4 D. a' f, P* o4C19:0095 MOV AX,0911 ; execute command.
- L& D7 W1 x1 x1 z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ W$ q9 s2 u5 K v6 ~) G8 o; ]
4C19:009A MOV SI,4647 ; 1st magic value.
2 l- Q3 J6 }9 H1 R4C19:009D MOV DI,4A4D ; 2nd magic value.
8 I# |4 O7 [% X l2 g/ G0 e: j* f/ k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 T( O& g+ d! d3 _2 ?" y! {/ y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 d* [( F, B% u+ f3 K4C19:00A4 INC CX# |9 D: E! Y; y. G2 j. V
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# _" M5 \# O: F/ l& g
4C19:00A8 JB 0095 ; 6 different commands.8 Z# |- p0 P, C8 y$ _ N. ~3 e4 ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& V! I0 a: _. W& W* D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 K c& ^5 x$ S1 ~
3 M& s7 [6 ~; YThe program will execute 6 different SIce commands located at ds:dx, which
* n8 D' m) O' {$ ]1 R( d+ g$ ~) rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% e; j6 y4 J( x6 m
% o4 z1 V& k+ P5 Q! ]6 E0 ]0 p- D# s \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
j- h+ J+ Y6 s# ]___________________________________________________________________________$ s: q8 |% H( G9 i0 {9 O6 a# I
& v& O* L8 @# ]5 [$ n( j7 l* D+ B' `. J4 z9 B' `
Method 03& T. r' _3 l7 s. a" A* H* Q
=========
# m9 O$ r6 R0 E7 A( a9 x; Y# \
) p" b; w/ V* g. x& s, F XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, e! T/ f6 f5 H" y5 ]/ f0 ?(API Get entry point)$ I* |& y5 @9 _" x% i- J- j$ Q
, T8 X, i+ o5 G0 P$ {, @- ]. n; S! C" t
xor di,di, I6 Z! V$ o; x, ]$ x5 y
mov es,di% u7 K7 g2 x0 i4 w3 V J& m
mov ax, 1684h
/ ~7 K- [0 A9 ? mov bx, 0202h ; VxD ID of winice
" w6 l. W) H+ L; F( Q int 2Fh" }; ~' ?0 Y0 i. E
mov ax, es ; ES:DI -> VxD API entry point8 j1 ] H! {3 r1 o) Z
add ax, di) C+ N- E# \$ q! m
test ax,ax
% i; L8 I) ~/ }" V9 Q: t. t( T jnz SoftICE_Detected
. B1 ]8 ]0 x) i6 V5 p1 B4 h/ s
___________________________________________________________________________
' D9 Z: T$ f1 {' v4 K& [0 m$ x0 z( b6 \5 @. L
Method 04; ]! P1 s: d3 w
=========4 o' l9 ^) P4 R9 F* v( W+ W0 a
) R( I+ D1 G, U% F; q1 U
Method identical to the preceding one except that it seeks the ID of SoftICE1 t+ P+ |1 } x8 w5 I$ ~( K
GFX VxD.) g# i- X( _* S w7 H5 J1 A
* k* z: ?/ M+ Q9 g xor di,di
7 e; }, j7 T D5 n" c2 s5 ]$ J mov es,di: H ]# A N: z* b8 p
mov ax, 1684h ' F0 u' M0 m- O
mov bx, 7a5Fh ; VxD ID of SIWVID
" K# ~% X+ I0 N. F, }. \; S _) D int 2fh
# k9 t) Y4 W, V, S mov ax, es ; ES:DI -> VxD API entry point; |" u; Z! u9 ~* U5 E/ j1 u
add ax, di
6 s2 B3 f3 P, q$ Q test ax,ax- }1 s# f/ b! X, k" P
jnz SoftICE_Detected
* ~, t" y8 }! z# y/ l
" |; v/ ~0 _" p1 S6 V( I__________________________________________________________________________
* P, n6 `; _/ T/ `5 d: R* r9 G. F+ s. E0 c- T6 l6 S2 S
/ t: l! K- c8 [ t9 bMethod 05
2 A+ T) [! |: z% Y=========/ }5 `- w% V% E8 l& J
9 X- |, D# `" ^" c9 i+ r
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 K8 s! i$ r0 e. N
debugger. It calls the int 41h, function 4Fh.
& C5 w5 v& t5 G! W; M0 h) H% P+ iThere are several alternatives. 4 F4 [# _) c" d: |/ B" h
7 S4 _) P( Q4 D! b: A E+ ^
The following one is the simplest:
, x% ?) S* D! @: F5 Q; D5 F. l' {# Q) V
mov ax,4fh3 d# Z: n" `& ]! q% [& Z6 x0 {
int 41h
2 V2 @7 \( _. F7 P7 t$ l cmp ax, 0F386- k9 b0 _9 V6 D( n- z
jz SoftICE_detected9 d2 M6 w( ~; t+ a$ t w
" W0 n4 \% B% _$ Q' ?* Z/ w
9 l1 B1 g" i! |: [$ ONext method as well as the following one are 2 examples from Stone's - K8 h9 m# V: b( `
"stn-wid.zip" (www.cracking.net):9 x# G* v' F3 ~; N% \9 l5 {& c
& N5 ^% h3 W* \! i6 V
mov bx, cs
& h/ _) h& Z r% N& E3 G7 F: \6 a lea dx, int41handler2
( Y; ^; \; y, S5 K5 ^$ h$ c xchg dx, es:[41h*4]9 t- E' F/ R. {6 X
xchg bx, es:[41h*4+2]
, e2 l4 y9 b8 t N2 m) w0 ~ mov ax,4fh' D. _2 z6 O8 p$ \
int 41h- O2 b$ S |: \# d
xchg dx, es:[41h*4]" T9 R& v4 }1 [' Y1 a# g5 Y
xchg bx, es:[41h*4+2]2 a# a: r8 P; ]- @/ v8 }
cmp ax, 0f386h
$ j1 N8 S5 T. O& o* J' ~; Y jz SoftICE_detected( u) O2 P! i) _
, C6 E0 Y; s, t, e1 u- ^7 @
int41handler2 PROC
1 R7 O, k* u7 f0 n6 \1 m- `8 }# h iret
: k: E3 |( `! R$ C- u% \int41handler2 ENDP! T5 c) s |5 g0 u* B" J
' C# }6 V5 h% [
4 K7 A V1 K ]) h0 T
_________________________________________________________________________
1 g- I3 T: U' y8 ^# ]" k& l7 r; j
0 ~. c' v2 y( w1 M! `1 s& J k1 b. K/ w3 j8 n5 Z2 |1 c
Method 06
' K- W# ^% J, q& A: d=========( }& Q; k7 ]) c
* n" `( i: V# G! V! E- a
( H+ _7 f2 ~! j$ [8 }' Z1 f3 i5 }
2nd method similar to the preceding one but more difficult to detect:
. [! Z, G6 ?: U$ I) C/ [/ }% Z1 P
5 r# P- U! R! s$ M1 e& X6 Sint41handler PROC
6 y6 w! N% B) G2 K: L Z5 A mov cl,al
5 E( O- k5 n; J: G4 c iret. @, T* t" c/ I9 U+ N4 V. [. C7 b
int41handler ENDP1 l2 T" _; [: j" C# e
* y. J( H9 Y( Z! N+ s
6 C l/ r: V, k& R
xor ax,ax- i, p7 e% n# Z/ t6 e: P
mov es,ax, Q6 i7 l' o5 M' g: B4 g: _
mov bx, cs: W [) g6 |9 h+ u9 Q
lea dx, int41handler
9 L+ z8 q' ?! G5 V }3 j xchg dx, es:[41h*4]! s5 t+ F5 H5 E. u) L" g
xchg bx, es:[41h*4+2]0 d0 g* E0 C$ v3 g, c% f9 {4 q+ S
in al, 40h
$ j, N$ L- g; k8 A xor cx,cx8 ~3 o: z( f4 L f
int 41h
# `( Z- W. g1 t! r( B xchg dx, es:[41h*4]
' Z0 ]$ t5 j* t% E5 O _' ` xchg bx, es:[41h*4+2], X% b% E! x5 r$ n9 P
cmp cl,al
( P9 D0 J% i$ U jnz SoftICE_detected
/ y# M: ^, {# [5 ?1 ~8 \; f( p8 w8 P+ Z( ?' t* X2 M
_________________________________________________________________________
F- ~! \2 F8 ^6 K$ R$ u, T+ ~/ s
$ W! @/ h+ }/ @5 Z1 QMethod 07
" r7 L- Z. w* i" U3 P=========9 |* v" [- P/ A' ^) h$ x
4 m- N9 I& d) L
Method of detection of the WinICE handler in the int68h (V86)* R" N6 i& p; w+ Z( B
) c' r7 ~: Q* i
mov ah,43h, D9 \) S* [4 I* P( b% Z
int 68h
" L1 u9 z+ P0 X7 h5 X; v cmp ax,0F386h
& x9 M& l* ?8 F0 K3 m8 ]% f @ jz SoftICE_Detected
5 U9 \" M* g1 l: ~
`7 B% t4 Z2 H- ?1 l/ B
* } s" k' r1 j, |# H" `+ |6 ^% ~=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 f! H( a* w0 t' f8 Q" v app like this:
0 Z T8 d0 Z, I) Q8 M7 C8 Z3 m7 K, \3 g- x: p
BPX exec_int if ax==68
8 V+ f5 d' d8 i4 e+ F8 X (function called is located at byte ptr [ebp+1Dh] and client eip is
& X: U4 P+ C& s: y% t- G located at [ebp+48h] for 32Bit apps)
: N( w3 `! J$ l% C, W6 K, D! L__________________________________________________________________________
9 E# `1 t" A, c) O# e
' d! q3 v$ o$ W8 i5 ?3 I7 v2 E& I6 P
Method 084 M$ r$ B0 s) T4 b2 L
=========1 V+ S* ~; ~* d4 b
+ W I7 C) p; N" OIt is not a method of detection of SoftICE but a possibility to crash the
, f: G; b* m) r4 p( qsystem by intercepting int 01h and int 03h and redirecting them to another
/ O) _& X( Q- y& b3 L0 Vroutine.- ]0 i* I; k4 M0 C; a2 `% s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& b6 b8 }: M. o6 E- k' V$ m* ato the new routine to execute (hangs computer...)5 n% u6 ~5 {* F1 j+ A
1 Z+ ]$ Y8 ]: N3 _ P( z
mov ah, 25h
5 {9 s% a# h8 _0 V mov al, Int_Number (01h or 03h)
- D( f5 t6 f# m# W mov dx, offset New_Int_Routine F1 ~% d9 g! `
int 21h
$ W. Y/ y4 e7 N9 M- ?* A& T! U5 @: J7 d" x7 T
__________________________________________________________________________8 D( W, x, ?9 J9 \
* d# ]% s; d, ]1 w+ o1 o
Method 09: h: r& z0 j! B Q0 o
=========
; ^: L+ q$ W+ S4 S# {- D6 q: z/ T: h1 z5 g* H ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- F2 \8 X# ~, E; r
performed in ring0 (VxD or a ring3 app using the VxdCall).% D' @' A5 v, K3 r
The Get_DDB service is used to determine whether or not a VxD is installed) j# L. P. z7 [8 Y
for the specified device and returns a Device Description Block (in ecx) for
( |( I: r: j# ` G3 `& [that device if it is installed., Q3 ?1 ^% E# a2 g4 @
* i, V1 [& F5 h2 @ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 R% D% Y0 W- {8 E- h$ J- p! k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ Z( X2 U: f+ c$ {) b VMMCall Get_DDB1 S2 ?1 B+ F/ s, V0 e4 B3 n# q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 S9 `# ^$ k0 C" {! ?. Z4 d; {2 i9 @% {/ o7 }$ a
Note as well that you can easily detect this method with SoftICE:. K1 k/ j6 d$ J: Z) E5 Z6 q
bpx Get_DDB if ax==0202 || ax==7a5fh
3 L7 N9 O% r, w' R; S2 U, f# f
, O q+ X! p$ k* J9 ]__________________________________________________________________________
- ?8 E( m) I- q5 v% |
- }- T1 y( ?; Z8 q2 V+ m& `Method 10
9 g& d% ^7 y' M=========( E/ V J3 K- {. Y
5 \% Y, M( n' T+ k3 p" x' D; M$ c2 Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with' U3 d/ z2 s' I5 d; L7 t( p
SoftICE while the option is enable!!
9 p) L; O1 E) h- w7 ~' j. @* W2 y2 X9 Y. T! |7 _
This trick is very efficient:" O1 b& S9 K7 p7 d& z
by checking the Debug Registers, you can detect if SoftICE is loaded# H$ `/ a4 N; r a0 K+ f2 G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
~, }# [$ Z9 P8 m( X9 Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 }/ i" ~- @" D+ cvalue (in ring0 only). Values can be manipulated and or changed as well1 {) |) N$ `) s9 r4 m/ n# \! V+ H) h- b
(clearing BPMs for instance)
; E/ v( U6 {" y! B2 h( ?" ?$ g. {' B# w! Z5 W! j/ Q
__________________________________________________________________________+ M* c- @ }7 x" S* X4 U
4 x: H- o" `/ P7 o3 ]
Method 11
( Q' `% T: p- M=========2 g8 I( l W# Y7 C& U. e, Y
. f: `) E+ \/ U3 t$ T9 K9 G% M, mThis method is most known as 'MeltICE' because it has been freely distributed6 r' J# ]8 Y: y" @/ _
via www.winfiles.com. However it was first used by NuMega people to allow$ w' w0 w- n0 A6 }$ k
Symbol Loader to check if SoftICE was active or not (the code is located* [% I5 j2 u( C3 I
inside nmtrans.dll).
, z& }: W; K! S# K; p4 p& @# l- R" B8 p5 @/ W4 y, K# X/ a/ r
The way it works is very simple:2 h y2 y7 Q* n& n2 @# b# E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% ~9 q3 t/ e3 s1 w7 |" n
WinNT) with the CreateFileA API.
8 B P9 D: C% M+ Q4 t; F L$ C$ n: S) G ?# l
Here is a sample (checking for 'SICE'):& R4 k Z- m3 v/ t( d. G/ y5 d
# ?! J2 \4 R+ |& f/ K) y
BOOL IsSoftIce95Loaded()1 k1 Z9 g5 b( O/ `1 @# u( n
{
* y3 Y; G1 m X8 A HANDLE hFile;
, R4 y$ O+ e ]6 F, O/ I" ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, X5 E B1 \1 q3 P" J3 X FILE_SHARE_READ | FILE_SHARE_WRITE,7 @ A5 b. q# z- w. d
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 C1 ?! W* W Q/ C
if( hFile != INVALID_HANDLE_VALUE )
* k! t) ]4 l/ B7 s% F {
& o/ ?, x# d5 D" C; H CloseHandle(hFile);/ N J1 d( z) i1 ?$ p, x
return TRUE;
4 B+ i1 w, r* Z! ?0 Q9 x }* I8 M, }4 P9 T& A" { G8 _
return FALSE;
9 l- W9 M- W1 T& h" E2 }}
. Z3 x. \7 }; ^0 S0 N9 D; I3 |) S0 U6 q5 j$ b. v. M
Although this trick calls the CreateFileA function, don't even expect to be
7 g2 a, F. o) i i+ Z9 rable to intercept it by installing a IFS hook: it will not work, no way!
* x% c+ |# d# _8 D2 r8 y% ~2 oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 Y8 ]2 \3 r; n4 S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' J1 b1 \. g' H! ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 q& a0 ]3 O' ^1 q+ V7 A0 Jfield.
/ y% `! x% |# X2 T9 a( C+ j! f' ^7 rIn fact, its purpose is not to load/unload VxDs but only to send a $ U/ N6 ?5 x$ D w
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): _: k$ I. ~0 v5 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 ~# e0 }3 l+ G9 s1 F* fto load/unload a non-dynamically loadable driver such as SoftICE ;-).& O. i: x$ _1 A3 L. c
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 c* d% h+ G. z+ h
its handle to be opened and then, will be detected.) C8 U# X( [; P1 a
You can check that simply by hooking Winice.exe control proc entry point* p, g- R6 }3 K
while running MeltICE.
) `; N/ \) A0 ?/ c+ k2 D5 E! V& @
+ v8 [- e F! m7 H% ]" m+ Q' @2 m& P
00401067: push 00402025 ; \\.\SICE B' v$ t. ]3 b- X. |3 w3 r9 y
0040106C: call CreateFileA+ e& Y9 V6 i! U' z B/ \% I
00401071: cmp eax,-001
+ R: L. ]( Z8 v+ { 00401074: je 00401091' P8 v" P- [/ B K; {
1 X4 d8 Y3 h5 [' y
/ O& ]; o7 Q' S3 w. j' F2 _There could be hundreds of BPX you could use to detect this trick.0 r; v( v! |' f! ^
-The most classical one is:
/ i9 q/ G0 x& O4 n% _- z; ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 k/ {& \5 s4 L* z$ u8 `) [) |0 t7 l *(esp->4+4)=='NTIC'% i5 Y9 X2 }: R0 V. s% C
8 e0 I1 d/ c) N1 s8 ^' t" ]-The most exotic ones (could be very slooooow :-(" d, Z- D8 {+ m3 z* A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 X y! B5 L ]( u* b. J ;will break 3 times :-(6 Q7 P' D9 A0 \- }& f2 O8 Y# I
. z9 m2 W" ^# `& m: L
-or (a bit) faster:
7 a/ _; Z/ Q! [+ W- z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 b1 D0 C' p: F/ e, _9 T
: n; Y- x7 S3 n$ R
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& i+ C4 p/ b2 q& P3 N' p ;will break 3 times :-(
+ E8 L Z# ^0 K
9 o2 Z" i5 S& \3 R, I9 n) {-Much faster: @8 m/ V' Q4 h3 E# m
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
I$ d" V) Z0 }& D0 L- L! f. O: V: f8 ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 z& _ J z! s2 Q# [function to do the same job:3 |' o' v( i u* P
# u$ {3 @& M; n. D push 00 ; OF_READ
+ S8 k D1 z0 ^# n; R2 h mov eax,[00656634] ; '\\.\SICE',0
1 c1 _% d' a) g/ v% K push eax% O0 T6 o# ]6 Z. e$ h k8 [0 ?
call KERNEL32!_lopen
8 u* R) A. C# N7 y6 s inc eax
5 X0 J8 J! ?& s! I4 N jnz 00650589 ; detected/ h, H: H2 `9 L" h% A' |/ P. ], c
push 00 ; OF_READ
% a4 z& L; Z( o) M mov eax,[00656638] ; '\\.\SICE'
/ p$ q# s, ?- t2 X8 C5 E7 p9 V push eax% A0 h8 X' Z& x
call KERNEL32!_lopen6 f8 N6 |: ]( y
inc eax
1 m) H. ]& ?% Q5 [, q* L" G jz 006505ae ; not detected! ?0 a' G& C% Y. k7 N- I0 W* e
5 i5 g8 V2 f4 \9 B
, _, r( c$ y+ ]% ^
__________________________________________________________________________
7 l0 h9 o- m, ?" u+ S4 L, v# J" p5 g
Method 12
6 n0 O1 M y4 B* k=========7 f' u$ S1 T' {
) o( x' X5 t4 K) AThis trick is similar to int41h/4fh Debugger installation check (code 053 N0 [+ _. c& b- j- M: O3 H# b
& 06) but very limited because it's only available for Win95/98 (not NT)
9 g% D# ]# o8 n8 o# O1 \5 E/ |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" w; i0 s9 m8 m: }' ^* w# v& @
* R- X; F( b/ w& f+ p. _ push 0000004fh ; function 4fh' n0 v: l$ I0 S( ^3 n
push 002a002ah ; high word specifies which VxD (VWIN32)
1 p( J- V+ d) G0 ~9 r f) i ; low word specifies which service
8 ^& k9 g$ h- ^2 U (VWIN32_Int41Dispatch): L9 D7 ?" B5 h4 @: ~% j
call Kernel32!ORD_001 ; VxdCall
7 m/ F" F/ }/ t0 R8 | cmp ax, 0f386h ; magic number returned by system debuggers, L3 N# B6 D) `) u1 b
jz SoftICE_detected6 g- x" G' q* `3 Z, g* O+ [
% |2 Z. P9 B; A% r) kHere again, several ways to detect it:4 W1 y% t1 \( J3 K' _/ J( q
4 f! q ]9 l; H& M& o9 @6 D3 Q* T3 w
BPINT 41 if ax==4f( k0 d" |5 | {, y% B2 A" c
- z6 V# |) u, U% K1 n8 G# W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; ?: x/ P& E6 E3 [
) x2 ~0 `& N7 S5 M/ a# W9 G$ W/ M; V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 j; T% V* Y* J3 f
3 Y f N- j, Y5 v, j% f7 g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 [6 {+ |: L# a* {& O( x6 L
5 z: B! k3 H- P& J
__________________________________________________________________________) n1 N& ]5 N7 e
+ }8 }( ~; _ T- z7 _Method 134 k( L5 D c8 x* Y
=========8 h7 e2 P% s+ ^8 r" |
9 f+ `* j& C6 c& E1 S( fNot a real method of detection, but a good way to know if SoftICE is
J1 z# v0 R5 E0 ginstalled on a computer and to locate its installation directory.( V+ h3 t+ ~; X8 F# x* d
It is used by few softs which access the following registry keys (usually #2) :) G3 L/ D: b# U w
' ~1 w4 k8 e8 I1 C6 L6 W" m6 S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 f5 b0 n" ^5 v$ D2 v( a8 h\Uninstall\SoftICE
# G& G7 p2 e$ B' u" t+ _; d4 I2 K5 A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" X6 |) e$ }! a5 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 J/ x0 |% e! h0 F/ U4 x\App Paths\Loader32.Exe% V2 x' g8 w: k5 y$ i
' ?6 a# L# a3 X/ e
+ L+ d, Z) s/ n7 G' U2 P3 x/ A! FNote that some nasty apps could then erase all files from SoftICE directory
% R, a4 O0 j! `; R. [9 a6 A; k4 G6 \(I faced that once :-(
5 W) ]( ?' U& b1 }- G W. b$ F
( s( Y$ P4 K$ E' `5 b8 a! fUseful breakpoint to detect it:
! k1 `& H B, ?! U3 A& j8 @0 B- ~0 I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) e1 L9 r% c0 W s1 Y- j0 ^/ F- ?
, _1 H4 S4 ^$ H: s* v% n__________________________________________________________________________
7 l6 g. O* y) T- ~ H( R0 c
+ d( l# F5 f2 C6 ~6 j/ @
0 F4 |2 [$ ?/ SMethod 14 4 E$ E- A0 s2 b7 y/ E6 Y/ Q5 s" v
=========! L; W0 u7 a( S
" S& a+ ~( L* T5 _% GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) H, u6 D. y [2 S' ^
is to determines whether a debugger is running on your system (ring0 only).
- V* L9 n8 E" E8 T+ B& [+ r7 P$ d" D; @8 n
VMMCall Test_Debug_Installed% k/ T; d. O6 d3 X2 `1 S# b1 S
je not_installed
2 P" T8 `, |. e1 |
' }( ?2 G4 X: B3 U8 b! ~; y! zThis service just checks a flag.
3 z/ k& c' E4 | {9 K9 K, d, M</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡