<TABLE width=500>
% b2 ^- c5 ]! [1 O' r7 i<TBODY>3 ]# d0 ?0 u7 n$ |
<TR>
$ j- i* Y# P; {) j4 X! H3 c<TD><PRE>Method 01
6 j5 O& d9 m+ s% A9 q9 K' R9 S5 s T/ q=========
5 R6 F9 t1 ]4 n ^" L6 A, X; g' _$ @1 O
This method of detection of SoftICE (as well as the following one) is
) D" a) S% z5 d2 `4 B( Lused by the majority of packers/encryptors found on Internet.
1 B4 T7 C" W' l, |" a1 F5 T/ L8 O/ u# gIt seeks the signature of BoundsChecker in SoftICE: w) Z! P2 ]! _ e. G
# d2 d, d4 [! V( f7 V2 ] N9 S
mov ebp, 04243484Bh ; 'BCHK'5 h! t7 Z) v( k, @
mov ax, 04h
7 ^% ^) k2 h" K8 \% V2 C int 3
7 D6 T. v; K& v+ j4 ] cmp al,4
; Q( @3 _. O5 q/ u' Z jnz SoftICE_Detected! s0 ~& s1 [% G% w' D2 Z1 Y8 L
, M! N9 ~" S! J/ g
___________________________________________________________________________' c, A8 @7 ^$ I# C$ y
9 ?: v; [- g+ i6 y( LMethod 02" y0 L; r, }. y- W' c2 _
=========0 d0 D* G" I) \" I& J
+ ]) l7 T6 U% @6 r
Still a method very much used (perhaps the most frequent one). It is used
- F( f( b6 E! L) V4 Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 ~- s* s5 P8 O4 \' |
or execute SoftICE commands...$ b) `. G. x2 h5 M
It is also used to crash SoftICE and to force it to execute any commands6 \6 @6 e8 t b
(HBOOT...) :-((
" j4 ]; x0 d& X+ B4 X5 n* _# d( d7 i' a- m+ a, E
Here is a quick description:( X9 Y# r& M% O! @' E
-AX = 0910h (Display string in SIce windows)) h, k+ M8 M3 H, F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( t' m8 E' f8 J-AX = 0912h (Get breakpoint infos)
0 I( O3 ?7 p/ l" t+ _! F k8 l-AX = 0913h (Set Sice breakpoints)
% }* l' I$ [5 G) {9 n! F0 B, [( y-AX = 0914h (Remove SIce breakoints)
& q1 i" n6 Y3 T; N; E0 {
( q# p# d M# K8 nEach time you'll meet this trick, you'll see:/ R% }- O8 Y( V0 h# H
-SI = 4647h
9 u) K$ @( v! m4 t0 ?-DI = 4A4Dh+ i: T% \' ]) L+ s/ C9 x
Which are the 'magic values' used by SoftIce.
- Q) I2 V! A. \" M; C" `% `* C8 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# F3 r" R1 a# N4 \! ^: S( p8 I
0 A0 O6 c; `, D Z1 q/ oHere is one example from the file "Haspinst.exe" which is the dongle HASP6 q- ~* z: _9 k" @6 B/ @
Envelope utility use to protect DOS applications:
) \; |% g+ u' ?, x. O1 ~( ~7 s, [: g, `+ V9 F* e: u. j A$ l
/ m8 U9 ^% }$ y' W/ j
4C19:0095 MOV AX,0911 ; execute command.
, A F+ d6 j3 b+ Q! t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
C% |; x! ?: a! [4C19:009A MOV SI,4647 ; 1st magic value.0 S7 B. T8 y5 E9 u- V9 O: b
4C19:009D MOV DI,4A4D ; 2nd magic value.- E& N% n/ {' R: L- S
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 ^ ?" s. Y# [9 V7 }. e3 e4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- s# Q" R& v g" E
4C19:00A4 INC CX
' I1 w' P7 W$ C6 z! G3 Z# w4 n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 Q& Z" O- |4 V2 i% |: R" b0 ~
4C19:00A8 JB 0095 ; 6 different commands.
. S8 d: B- |$ g7 a4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# T9 T2 |. Y2 S9 K: \, @* }& m+ m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 g( Y0 i! @9 L) |/ f5 P' V
' L' x4 c7 [, R7 W$ e% }The program will execute 6 different SIce commands located at ds:dx, which& O# e. b' w& l) A, \- R) o
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' k1 L# s) s. D, g9 S$ {0 p" P E o1 Y; K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 H* ]' V( l5 k9 A$ \3 s7 g___________________________________________________________________________ r/ c- s5 Y0 Q8 S9 U% X6 K
8 P4 O# z, B0 f) z+ K) g6 Y% f7 a
Method 03
4 p! J4 G$ j3 v+ A$ l=========
' ~. @3 b# g- R% \ z+ T! W3 N: @% h3 Q5 a& W$ U6 N- k6 L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 G2 P% U0 S1 ]/ t; \2 ]
(API Get entry point)
* ]9 {7 \8 c! p; @; J8 a I 4 h7 K# Y8 V; Y U6 u4 \" r6 n
; a% i' r) D. m( c: d. k xor di,di- N' y4 w9 r: g* r* a6 D! \
mov es,di2 w. W$ p# |3 @- S. [
mov ax, 1684h $ i5 U" b* _5 k; N/ c% Q
mov bx, 0202h ; VxD ID of winice
3 D. a. K4 Q; @8 j9 t: D int 2Fh- s- ^# i t) C$ @! x. A3 I
mov ax, es ; ES:DI -> VxD API entry point: h. V& F8 ] m1 w
add ax, di
" y$ i! b4 [1 Y0 F: l4 F* ?# u$ \ test ax,ax, `6 ?' U1 M# j5 S [
jnz SoftICE_Detected
% w- U8 p5 { E! o: A; w. E
) l/ u# }; F' ]' x8 j. }( ]( [___________________________________________________________________________" H5 r) P$ O, y0 M8 C+ C
* c1 E; C; p! u0 `" q, q
Method 04
0 c! |$ r% T/ j9 L7 O- R7 L# ]=========
& R! I& H! f9 l" N1 c4 r5 \- u
8 Y6 `. |2 @9 E& Z1 bMethod identical to the preceding one except that it seeks the ID of SoftICE# b8 w+ T! n" i& f7 Q4 E( n
GFX VxD./ `5 a$ L5 H8 }7 i& o' z1 y
; B3 W8 {$ O. ]- e
xor di,di- E' {1 o6 {2 \" v6 i/ v- x- k" r( `# d
mov es,di9 B* p8 a i4 z: u
mov ax, 1684h $ ~2 `: Z! l! k4 u$ T
mov bx, 7a5Fh ; VxD ID of SIWVID
4 d( [8 M8 M7 u" Y4 ] int 2fh
3 G1 ]% ] G0 _1 | mov ax, es ; ES:DI -> VxD API entry point
7 E* I$ z$ b5 E8 M0 w Y2 }" H add ax, di
6 d& ^/ L" D( Q test ax,ax, E$ M+ R+ f% y! q
jnz SoftICE_Detected) B- P; Q4 G/ t$ p
; h! \) J. o9 p& R) ^3 E9 s& }__________________________________________________________________________
7 t% ^' M! _, t4 n3 ~. n
0 m$ W; z: Z1 z! V8 ^3 z% \4 a" g( Q* {; Q" H9 J3 b
Method 05
9 A- s: e3 {) A=========: R+ s. W. m. l5 n. u
, Z* O: i* a6 p. B1 r2 hMethod seeking the 'magic number' 0F386h returned (in ax) by all system
0 L: |, ]; S+ c8 W/ Qdebugger. It calls the int 41h, function 4Fh.$ `1 r( _& n# X8 G/ l. _$ Y
There are several alternatives. 3 p6 X: U. h/ A- V* u, ?0 a+ H
) O- B: C, p4 I7 L6 ^! s0 ]7 j
The following one is the simplest:
1 q- l2 Q# [% n; E3 u6 R$ \+ I0 M6 N
mov ax,4fh
6 T! H! N0 j4 j0 W5 [: ~ int 41h. k! c# D/ ?& E1 E
cmp ax, 0F386
" g7 K5 g, X# R/ b4 g7 g9 n jz SoftICE_detected
' D6 a/ R( v/ t, z! X* C% D: H" \9 h, v# S" `1 B
: e& ?% j. }& V) Q1 cNext method as well as the following one are 2 examples from Stone's 7 X1 `+ J1 k0 o5 P4 _
"stn-wid.zip" (www.cracking.net):
! G; {9 n' _- q9 q/ T, u) S6 n7 G% C: C# @( O; b% Q: j: M+ u7 B* l- \
mov bx, cs; @* s$ E# q ^: C/ u. F O
lea dx, int41handler21 L7 Z- ~: c& T
xchg dx, es:[41h*4]. }" w6 T2 k$ T6 C. Q t1 ?
xchg bx, es:[41h*4+2]7 L$ s7 i% ^# | q: T
mov ax,4fh2 R+ c* w; B' n9 q; y, L _
int 41h$ x" J3 N/ J2 F C; [# Y
xchg dx, es:[41h*4]8 m0 p6 t0 K* N3 r' y& ^# ?% i
xchg bx, es:[41h*4+2]
4 i& ^7 T. i& Q' ?9 N9 B cmp ax, 0f386h# {0 Z* s7 p( S+ x
jz SoftICE_detected2 B! ]7 r, W' d0 K- A2 T
3 f" D. _% @1 _" T
int41handler2 PROC
. ?1 k6 U c$ R* u+ w& b iret) f @/ q# O3 u# |
int41handler2 ENDP& I& g0 Q9 ~! X* D4 C+ M
& b; ~% l: e1 I- C& x. z6 f( S/ @
: P9 Z$ \6 D5 a# t7 S: f
_________________________________________________________________________: }7 m$ X$ c- b5 b, }! @+ T/ j
. w* u [3 |+ Z+ L
6 |0 w: N! d, y0 I; k3 k, @0 M& s, x
Method 06/ e; w8 T5 X) ^8 x9 C8 h
=========. M) r: ]1 A4 a' o
/ D4 b5 \/ Y, Y/ ]8 R- y% q5 s% [
0 f7 R1 I# x% r) @7 e# u# o
2nd method similar to the preceding one but more difficult to detect:' M, L ^2 }1 I. n8 p, n
! _$ W$ Z+ J% ^$ S9 r
( z) C8 k% y) x& B T3 }" nint41handler PROC1 I$ S4 T9 \6 _2 ~9 X( i: x5 R
mov cl,al
# B3 x9 }6 v( Z* H7 s5 s6 o iret% C: X! r$ e4 A$ [. G+ ~. L% h7 C
int41handler ENDP5 W& h3 n( n% ]$ z' d
; M, x4 ~ V; J0 o1 B; a
8 t, e b) |' G* W xor ax,ax& G- h5 K1 ?3 @! a w" e
mov es,ax
% J) W& s0 Z: d; y) C2 { mov bx, cs. I1 u( G; H1 ^4 E! v
lea dx, int41handler3 ]; Y1 I2 a' Q1 C" T7 g- I
xchg dx, es:[41h*4]3 W- X, m8 K/ E1 ?6 D. W! [
xchg bx, es:[41h*4+2]
0 l% \, F3 n$ f in al, 40h
9 `& V h, G# s: ^. E; q xor cx,cx
" |, o5 T" `3 e2 U5 e8 J4 s int 41h& j6 m0 z& u' N& p: {' i3 m
xchg dx, es:[41h*4]7 f6 l" T. v( l$ k: m0 q4 p) ]
xchg bx, es:[41h*4+2]$ Q1 Y" h: f0 x* P, H/ ~
cmp cl,al
# e0 |* g: h$ w H jnz SoftICE_detected
8 p6 {& j/ } ?: L5 r/ S3 m
( O0 f" K* G1 Q5 ^5 c$ ]: d_________________________________________________________________________
( R& E& ~8 _8 Y! M4 u) W2 }6 I5 F& o, |9 f8 B% ?
Method 07! k1 M4 m' @0 n& h3 p3 W
=========4 f `2 W: J* g' p0 \
( o" y2 l! C! N, @Method of detection of the WinICE handler in the int68h (V86)
9 g- o1 P9 f* @- c% P; Z( p; S; H6 Q7 G. Y) y
mov ah,43h3 J/ c* r: q3 U& i7 f9 {" m9 }
int 68h
! F: _0 {$ ?+ n cmp ax,0F386h
, u5 Z* m" N, q) P1 U jz SoftICE_Detected
3 l& Q z- c3 u! S" r5 m, n+ I. u6 L' z2 Q( ], L# ?9 A) R" V
* @* Y0 X. G5 E& W: m* O
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' |6 O0 L# s8 ?: O& n+ g1 q app like this:6 y% D. U2 ]' Q9 k5 z+ L* V% }; K
- b8 G5 _4 M$ X/ G0 l3 ^) s BPX exec_int if ax==68
+ X% O) x: L0 Y, a2 H# V (function called is located at byte ptr [ebp+1Dh] and client eip is. t9 u1 Q- h" z0 h5 L+ c
located at [ebp+48h] for 32Bit apps)
1 t" D) m# d* B' ]# [__________________________________________________________________________% e4 }% I1 h; q* s* f% ~1 r/ q
" t1 `/ k/ j! `4 f& S, n1 `5 _" r8 `' ]1 D# ~
Method 08
5 P" |5 ?) @: E% n=========
/ u' s0 u W7 B7 v4 L5 R2 o* q. D2 D% m
It is not a method of detection of SoftICE but a possibility to crash the
9 T. D0 ?* N% X0 W0 s dsystem by intercepting int 01h and int 03h and redirecting them to another
6 }4 q* H- ?% t, \routine.
6 U! A' L& K9 i1 {2 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" X( z# A' h' S6 C5 ?4 T
to the new routine to execute (hangs computer...)
% T2 H; L, j* M9 t# B7 h. {# Z, l/ ]8 j- J- X7 \6 ]1 K
mov ah, 25h
; E. ]$ K- {9 O* g mov al, Int_Number (01h or 03h)
" `% P' t1 Q7 x mov dx, offset New_Int_Routine
6 s; l9 W6 G8 e: ~6 T6 c4 i int 21h: e& F, w7 n% l g- ^
, h M) v4 `+ r! [: l# e, ^4 C__________________________________________________________________________
. {6 r/ m; _; v; G& B8 m- }) w. W; {& q8 z" y6 _3 E9 U0 U E
Method 09* Q& Z1 {; |% E+ Q' p
=========3 _+ U# N2 ^4 g( E- v: t
; J" H- p* y1 M4 T7 @, R, I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 B5 B1 X7 H6 z: R4 U
performed in ring0 (VxD or a ring3 app using the VxdCall)./ ?0 n3 B- G5 H( ~7 ^
The Get_DDB service is used to determine whether or not a VxD is installed6 Q* ]/ W7 v5 D- U( h, ?( C
for the specified device and returns a Device Description Block (in ecx) for
; i( ]3 ~# L0 d7 P+ xthat device if it is installed.
3 Z% l& ]% u% x6 a$ p2 p2 [+ E/ o, S' J" v; X: _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 v" R' x$ w8 m) S mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. `7 H4 ]+ m x6 w- A VMMCall Get_DDB; j. }- g$ E3 O( T$ D* D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. f( p# k i: u$ S
6 ]4 H4 z2 c1 T( t
Note as well that you can easily detect this method with SoftICE:6 K p! Y9 n, u3 E/ j% E
bpx Get_DDB if ax==0202 || ax==7a5fh
9 l; T4 B" {% v! O( }/ E
+ S0 W4 K# F+ {- B__________________________________________________________________________, L$ v* Y, E- q) W3 z" w6 N& K+ X
3 i5 @" K1 n3 eMethod 10
# ?% k/ s& f' _9 X=========: S6 J' g. C! R! B& G
% k, C. X* u/ a' z" Z+ c" `; W9 h=>Disable or clear breakpoints before using this feature. DO NOT trace with0 E' r* C7 A) M* g c8 r/ q+ K# V
SoftICE while the option is enable!!
, f7 z5 l# a0 i j) Y, r5 K8 ]4 I- M0 t$ Z) A
This trick is very efficient:% Z1 [4 n; N; Q' X2 Z
by checking the Debug Registers, you can detect if SoftICE is loaded3 B* N$ S. U# T, O3 @' H9 `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ F4 D/ q: w# l$ B3 G& }. g1 t* Q8 s
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: w) _7 l0 }1 i& g' C, P- @value (in ring0 only). Values can be manipulated and or changed as well' |9 c% ~# R. v
(clearing BPMs for instance)' ]( S7 ~! U" a% E9 L) h( K
& s' T$ r# Y6 b__________________________________________________________________________
" E) {) B0 w3 n6 l1 [$ O0 z- H5 t( [. Z" h5 C
Method 11
# U9 n* P3 d& x* h$ T0 f; U=========
; v d( I- C# b' R# W) Y: m0 b h8 b! W: x0 t
This method is most known as 'MeltICE' because it has been freely distributed: Q$ V1 i6 ]0 U& ~' V7 [
via www.winfiles.com. However it was first used by NuMega people to allow+ W( |$ y, }. H8 j
Symbol Loader to check if SoftICE was active or not (the code is located
( k, P1 z+ @+ e+ l* tinside nmtrans.dll).
: e: f3 `; G2 G2 S" u
0 G0 t- y0 _; V/ UThe way it works is very simple:7 S* g5 o+ {+ |/ R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! O3 D I4 N4 f; N0 Q4 O% i& W* c; C
WinNT) with the CreateFileA API.+ [& e, s! Q! ^5 Q* T% F% |
5 q8 M+ ^" o- s
Here is a sample (checking for 'SICE'):
! H7 K# ?' I$ _7 X6 |8 Z% h3 t% T( A% e! P9 U
BOOL IsSoftIce95Loaded()
$ |- t" L8 e7 [{
q4 R+ y1 J& t& P2 r0 E/ X HANDLE hFile; ; D- }/ m/ g, K) |- ~
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 @) B1 v; a; y2 v8 ?( ^* } FILE_SHARE_READ | FILE_SHARE_WRITE,' U' O( {3 U9 P- e3 {8 _: t: O, t0 p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 O/ `' I5 @1 T0 J3 i if( hFile != INVALID_HANDLE_VALUE )
( K* t: {6 K; \, b2 c {
6 M+ @3 v3 p7 c3 v/ Q2 l) o1 Z7 Y( x CloseHandle(hFile);, \" y. h8 P3 M, m
return TRUE;
! v+ v: g' _) X3 {* M; H) N/ ^ }0 E6 b. |. `. s' v/ D
return FALSE;1 E- f' l' W, }# m8 V
}5 ?9 b0 `0 v& Q' Q
+ G1 e7 Q' V* hAlthough this trick calls the CreateFileA function, don't even expect to be
8 g% w6 G2 x- o0 E+ pable to intercept it by installing a IFS hook: it will not work, no way!
- R& e( |" n' X GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 ` @. x2 a& {9 h% |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& d) E+ d4 l+ t% O cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 P. R& {7 E' j) Y1 k( x* vfield.
* ]5 X; m4 [4 N8 t! `In fact, its purpose is not to load/unload VxDs but only to send a
- Z. N# t# B$ t" s5 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ [, H# `+ R) Q) I" b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% v; Q& |8 {& u6 s+ R( x& Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
O- F' O s, j# a8 FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ D' i/ `* W- \! {its handle to be opened and then, will be detected.0 o8 l9 w8 h- B. _3 H' C3 c
You can check that simply by hooking Winice.exe control proc entry point) k5 ~- _ @' P
while running MeltICE.
& N9 Q$ M# a/ G ]& N0 ?$ m& l6 j5 T! e& b7 L& w& z, z
5 D" J( P; f& _9 B
00401067: push 00402025 ; \\.\SICE
* x& {, M X; B$ A5 g; ~ 0040106C: call CreateFileA
& C% _( M+ O* N7 _/ V3 y+ i+ u7 ~ 00401071: cmp eax,-001, c3 _* v) F7 K# }
00401074: je 00401091
1 ^8 {% E' C: r; t7 d# [# t, Z* R' t1 H
& K1 i& v5 c+ uThere could be hundreds of BPX you could use to detect this trick.
% F, B+ J: M/ l-The most classical one is:& z* m* L1 {) y: |1 [! E x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ C9 ?0 Q) r* O1 j& j *(esp->4+4)=='NTIC'
! u+ f. D) F7 H" Q9 t0 c- Z* Z9 a( ^# M# }8 \
-The most exotic ones (could be very slooooow :-(( F$ n, k& I0 \' }( T6 o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: N5 B# z; G: t: Y5 i ;will break 3 times :-(; M3 O/ M: T! D+ L" t7 Y6 q
' H7 t& c* @6 Z# z. n Z-or (a bit) faster:
! e6 d; c5 V( ]; e" u) r6 k2 r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( ]6 R/ I4 a/ f' q1 s k: {& v
) u7 P4 d' a4 A BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
\' r$ f! q9 @9 W' |$ T; e. o ;will break 3 times :-(
+ w5 |4 b5 @# j8 N- l# M3 l( x. |
-Much faster:
! F* ?7 A+ R9 b2 h, {. b0 F( b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 p- w" k3 O/ Z
* ^0 x# J J N! @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" ~4 X/ h* E0 c. Pfunction to do the same job:
) X4 Y( u; `+ s M1 a
& Z6 o" a4 z6 ^; b+ i9 u( l push 00 ; OF_READ6 [3 Q' G9 d4 H
mov eax,[00656634] ; '\\.\SICE',09 u, j4 C# \, }$ b L/ s: b# G* T
push eax
$ ^* O" d) K7 r: a call KERNEL32!_lopen
, y7 F& g5 g; [9 I inc eax/ t, l7 D j; Z5 W3 f7 Z
jnz 00650589 ; detected2 w# U* i1 y, V2 B7 g' L( v9 V Q
push 00 ; OF_READ
7 \ W2 N! S$ {( I+ V. ^; Z mov eax,[00656638] ; '\\.\SICE'
2 n- X% K/ ^2 H3 H' C7 |7 V push eax" N$ A' b; ~7 x9 T" S, x
call KERNEL32!_lopen
0 ~ ]9 o0 x2 m inc eax; D6 s4 U5 l/ f' c. J; ^
jz 006505ae ; not detected) x! O# o% Y3 |: U( _# E
8 ?. ^5 r8 V1 X0 `5 s. D& @- p: d8 j! L$ B, q! L+ K
__________________________________________________________________________
+ h- F+ B9 g% z+ a$ a
. D) J% A9 v- sMethod 12; r+ f) t" T% ?
=========8 Y1 F+ G& c9 `2 A& P
. D' W0 ^- `1 e0 D& b1 TThis trick is similar to int41h/4fh Debugger installation check (code 05
. S& {* A! H ^/ Y9 t+ {5 q$ h$ F& 06) but very limited because it's only available for Win95/98 (not NT)" C( e/ B, Q2 c' n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' o+ {0 z1 i) i( b, V7 v
& Q+ H) r8 Z& R4 H# Y push 0000004fh ; function 4fh" N7 \4 O" y, s: \6 ^4 ~( w% G' }) b
push 002a002ah ; high word specifies which VxD (VWIN32)9 O( W, M" q) V: q: O
; low word specifies which service
- k# Q. c8 b- g$ v9 U+ }) j r- G (VWIN32_Int41Dispatch)
& J; Q5 B, o# |2 j call Kernel32!ORD_001 ; VxdCall$ j- x% J4 b) W4 f$ o- r
cmp ax, 0f386h ; magic number returned by system debuggers6 S( Z; v6 d# }0 o: J
jz SoftICE_detected7 O, U% ]( @2 g( e7 ?
. q3 ^; d3 n5 F- G* [
Here again, several ways to detect it:
$ A) b. X" ?! k! K7 ^3 }. L
1 A# X; r6 p4 j) @- H2 h# o3 ]8 J BPINT 41 if ax==4f; r. ? N1 W* H9 r8 c H* d/ Q/ A
/ V5 v' ^. L# K8 g+ ^* @( Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 ]4 u3 t1 }% M# H, J0 N& C k
# _! N( _6 p. g1 \" ]: t- c8 i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" T3 e) I1 y% x6 f% r- g( m' |6 L! |) M4 w6 k8 a
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# ~; V+ V1 n. Z( M) y5 Z
" w+ j- n$ h5 H9 N__________________________________________________________________________1 H9 T' \$ M" O& D* K' h9 C
/ B4 m3 d4 i+ r+ s. S1 I3 C
Method 13
, E0 T' L/ o; J) _+ u4 l6 C# v" N5 s=========
7 n. O+ H; J3 i. J: x9 a* }% e7 S- |2 k' w, f- F+ [% f! `
Not a real method of detection, but a good way to know if SoftICE is
& @1 v, Y4 U* w$ n0 N* H, rinstalled on a computer and to locate its installation directory.
( b$ ~" Z' |- W" v4 M& rIt is used by few softs which access the following registry keys (usually #2) :
6 v0 }8 _8 M$ o" a! Z+ d; A! c% \6 x+ F2 [1 {& o1 W
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 m/ P, ~7 D# n\Uninstall\SoftICE* _: F- N% ^/ c; z' J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: m! U% _3 ~) i0 v3 m. S0 @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! N: A/ u/ b1 E+ n, G8 A T\App Paths\Loader32.Exe
0 ~ i8 D3 z2 h( u" A" o4 v+ a7 O. t4 r" u
Z. K% ^* z" s) jNote that some nasty apps could then erase all files from SoftICE directory5 o6 t% w' k& @4 p6 R7 G
(I faced that once :-(0 U! @; e: R( m
/ _* T) m: E* k M
Useful breakpoint to detect it:! K s. W6 [: s
( N. S0 ]! D1 ?
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 N1 s# {% H8 U8 P1 U5 w& |; n0 B$ i0 U
__________________________________________________________________________6 }# u. |; y0 P9 S( [$ ~- P% W
5 z6 I1 b9 ?4 R9 o% q
3 j" j% B& | {3 v& u7 `. bMethod 14 / O; g! R' O& }4 `% z! c! S; u( d
=========6 c7 G5 y5 `2 P6 `
8 w2 y- m0 C6 B* ?" A/ j0 k: tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 T1 a3 @% B8 C. ^9 v* ^0 Iis to determines whether a debugger is running on your system (ring0 only).) N6 |6 P8 ^. ?: h
, q- T( {6 f" S9 b) J+ ~ T
VMMCall Test_Debug_Installed) M: Z$ u9 s Q% p5 r
je not_installed
; {9 D# S! q3 s" q( s( b' O
& e4 f, t& {& ~) oThis service just checks a flag.
, Z* H1 i1 f: I/ R</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡