<TABLE width=500>( L* c+ H4 \. R9 `1 h
<TBODY>
/ ~' w: Y2 i F0 g1 K/ }/ Z<TR>' I* T; ~! P* X0 M
<TD><PRE>Method 01 , `& s; ^6 P* e, j d
=========: Y5 Q4 y' V2 Y5 O# Z
6 ]% h6 O6 \2 \+ |
This method of detection of SoftICE (as well as the following one) is" U- b$ y% m* Q- w+ r, h: W
used by the majority of packers/encryptors found on Internet.
o$ O5 g4 u& I$ NIt seeks the signature of BoundsChecker in SoftICE) ~; V: k- V2 X; v+ Z3 N3 \
6 m8 s# g6 c7 [4 y7 s mov ebp, 04243484Bh ; 'BCHK'2 |7 D; ^% l# N& H
mov ax, 04h( o% X3 v- b1 I5 ]% c
int 3 * S8 t3 k) q0 ~. q2 J! d
cmp al,4, q$ ~2 i* X, H
jnz SoftICE_Detected' D7 S$ W; K3 o6 v
% p3 k" R& d) @8 ]9 N3 c___________________________________________________________________________
4 Z1 J; f4 T2 Z0 \ g
5 {1 n+ o; G2 f6 |/ ^; mMethod 02
, O. T8 F4 ?: w2 `" l7 B4 ^=========9 e5 g# v6 Z Y+ p. L
1 M- E3 \; m: k4 I! r" q3 c" o
Still a method very much used (perhaps the most frequent one). It is used
2 ] ~% x$ B& _( B3 b# Kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ u) Y0 T D0 R7 _+ N$ k7 bor execute SoftICE commands...5 w9 m- B3 d. Q" f' P; ~
It is also used to crash SoftICE and to force it to execute any commands/ R+ i8 p9 I0 r) j* y4 Y0 d+ B
(HBOOT...) :-((
+ U0 l9 R/ ]4 v( |/ s# \7 G* q# s5 h z+ j+ r- d3 k7 w* x Z# J4 k# @9 J# r
Here is a quick description:. J8 S& X+ |7 `
-AX = 0910h (Display string in SIce windows)- @. n4 T6 I" d# c v2 |* I9 E8 Q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& V! C/ i/ J* F-AX = 0912h (Get breakpoint infos)
+ k9 t6 Y, L5 S8 p-AX = 0913h (Set Sice breakpoints)+ Z$ w* [" y4 Y6 _4 Y& J8 Y6 p. ^
-AX = 0914h (Remove SIce breakoints)
/ S! R8 o9 F/ Z1 u
7 m, _0 w1 w7 T1 s# x* r3 x, BEach time you'll meet this trick, you'll see:
# P# k0 [1 K3 m) V( h* [/ H-SI = 4647h
# [5 v8 @" N. w-DI = 4A4Dh5 V% \/ H. U3 @# f+ ]" e/ \+ N
Which are the 'magic values' used by SoftIce.6 _1 R# e7 I: E% q; X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! C% C9 u, U) C' L. [- y
2 x$ ]( [7 g4 x2 g; _" h1 zHere is one example from the file "Haspinst.exe" which is the dongle HASP, N1 \% p9 K. @' W
Envelope utility use to protect DOS applications:
! G8 |* U5 f# ?5 B
% N" g% V- l+ i5 |/ i5 P
, e, \4 k) N+ m' y; b) `# \3 e6 w4C19:0095 MOV AX,0911 ; execute command.0 }& L/ f) k3 f8 g5 |5 W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- Q- Z: T- J# j7 c% r+ V/ t
4C19:009A MOV SI,4647 ; 1st magic value./ u" u8 j" {+ w4 g/ Q9 W4 j- x
4C19:009D MOV DI,4A4D ; 2nd magic value.1 ~; F/ k' F; Q) ]9 ~* T
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ O6 K. v* W- e! j. u' V4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% v+ O$ X. }. O4 |+ J7 W: g% y5 c
4C19:00A4 INC CX3 \' A" f9 m# L1 h; u( l/ E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( b; ?' v$ x9 F ^' K0 m% U M4C19:00A8 JB 0095 ; 6 different commands.! K1 b. D" ^8 b1 B
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ l8 ^6 L" n. E. m8 }& k' ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! l% G) m/ s. P' O3 k6 W$ }% e3 V
6 z. x; |$ Z9 A! A0 |; E4 U4 ~
The program will execute 6 different SIce commands located at ds:dx, which- M; D' \/ _+ ^6 P% @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& G0 O/ t; U) `% Z' r! M, l7 P: v* |# ~+ `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 s7 \* j8 {! K, T& k___________________________________________________________________________
, e" Z# a7 O* j; T
0 k/ ?% |- `7 k- @7 w! i1 P5 \, B( B1 n1 |; k# g% \! W9 M f
Method 03' Y7 o: t! b i9 _ R& e% @3 D& V
=========
5 w4 @% U9 B* S! x8 Z3 X% O A+ x+ J% M& e! p: Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ t/ U* v* x4 j9 k) d5 x(API Get entry point)
" `0 u0 l+ [4 K$ J. z( O$ L 1 x: J# @! ?4 c5 E" d% H7 |
u8 D. n, k' F$ T: s xor di,di; i% V0 q6 ~' |0 D: K
mov es,di# k/ `7 L5 G! p* o. ? _0 K
mov ax, 1684h ! z6 Q, S6 T. k7 C \
mov bx, 0202h ; VxD ID of winice
* X, a. ?( h1 q int 2Fh
/ j. X9 ?7 @5 ~' T! J" q mov ax, es ; ES:DI -> VxD API entry point* }! ]; o- Y5 P) c4 S% `
add ax, di* b2 o% ^3 y: d! i: ^6 l
test ax,ax2 S/ l. s( e0 }, J( \
jnz SoftICE_Detected
- \: f# y( c; c7 l
0 Y$ |, @6 k& |9 X! @1 E___________________________________________________________________________9 ~9 z! c/ ?& E- N( p% a
7 k3 H. _! T* c/ a/ \0 D
Method 04+ v1 ?" n0 S# p( _' P
========= T& [- t; w* W" s+ }- n
; }4 Q3 x4 C. h. GMethod identical to the preceding one except that it seeks the ID of SoftICE
6 P& u& R: h. P- P. tGFX VxD.
1 k; ^9 X# M) b% |7 b
( Y% ?. J5 G. x, [& e0 g% H xor di,di
; q. V: ~5 E( D" S" @" a mov es,di
( X) s" p6 g' V1 z/ a \ mov ax, 1684h , T" A Q' r* \. P2 y
mov bx, 7a5Fh ; VxD ID of SIWVID
?0 i$ {, C- j" c0 ` int 2fh
$ X3 o! z* _+ p( N mov ax, es ; ES:DI -> VxD API entry point
$ l' ?& p( L) `$ {+ M, v) f add ax, di
' A& i/ @" q. l1 @1 i5 ?0 y test ax,ax6 L4 o3 h' _$ B: L& [
jnz SoftICE_Detected
; |1 W9 n: e" k [7 B7 f B; N7 y9 X% c2 I* F) @% T
__________________________________________________________________________ c& d# G4 }8 P" v* h
2 _# Y0 _/ M8 K* P! Y
3 ~" b: p: @- _4 IMethod 05/ }' I6 ~$ q3 x! Y8 T3 y5 ?8 W
=========" `: C; B% f9 g, f
. b9 {) e k1 t8 C0 W3 NMethod seeking the 'magic number' 0F386h returned (in ax) by all system' n% x# X( q1 u8 R; e6 J
debugger. It calls the int 41h, function 4Fh.
: E" ~5 {5 s- ~( fThere are several alternatives. & M1 ]: L' O0 f- @& b. m3 c! K$ N! F- V
4 E* q1 H( u& X) Q* a1 J6 u ^The following one is the simplest:
+ h( V) X: N; t" p# F3 z
& v% W4 g5 s0 k8 o mov ax,4fh
" u- c; M/ i: ] o, y, k0 a4 ?, v int 41h3 b2 @9 `# R6 B' h: \% ~) g, U
cmp ax, 0F386$ t; y( {" n+ K! k1 i
jz SoftICE_detected
+ i$ _7 b' ^9 v7 i1 t( Y; j& j6 h# M6 A# x3 `" A
3 S9 P' J5 L. A" H
Next method as well as the following one are 2 examples from Stone's
8 |- ^- L$ y' I. V/ f2 o"stn-wid.zip" (www.cracking.net):
% Y* \$ y; l3 U: J: F _$ {2 O
8 B: r) ^8 M) Z3 l6 i. @# x% D mov bx, cs
) z7 S' B9 n9 E" |: s lea dx, int41handler2/ l. G2 _+ [& d1 @8 t0 r* W3 |
xchg dx, es:[41h*4]1 f& V" ~5 G: H ]" p
xchg bx, es:[41h*4+2], j: Y' k u6 B3 f( ~
mov ax,4fh
: C- E4 ^# `1 a n- ` int 41h! `* l( }9 p c. r& w! x9 o/ L" f
xchg dx, es:[41h*4]0 h$ n7 Q9 W( Z/ _: o+ \$ h
xchg bx, es:[41h*4+2]
& z& @5 O/ [$ z cmp ax, 0f386h
+ \. Q2 r: q: x jz SoftICE_detected; X3 g' _6 {$ c' K7 V$ O* z8 u
" n& H3 j v$ V& T* g; Q. X: l
int41handler2 PROC
& ?) p8 O r5 ~$ j# J4 n! _ iret
- n: H6 j. O0 S0 [& X) A; zint41handler2 ENDP
2 ?; e: F6 M6 v5 }0 `* D: W" ~. Q2 S/ x# M+ b! M& x
4 h; Z$ }# M8 C$ v( x9 A_________________________________________________________________________7 O( W, k9 h/ [, R3 z: N4 Y- Y
* ~8 n3 N1 D% }! M/ ?1 h
9 B: b: O7 K0 xMethod 066 E, J& O8 B& I3 u$ O0 Q7 }" N
=========
8 b$ f9 E( n Y* \( r* B+ P7 u1 g1 }4 }5 c1 z* {) j
& ]8 \. Y0 b: |2nd method similar to the preceding one but more difficult to detect:
. Q" f- ~" Q* j5 F( Y+ m$ u% T0 T: g5 J, t, A' @4 Q B) w* o
, J5 e0 w9 ~0 v* f: c; Q
int41handler PROC6 k6 o) t1 N% V. [: I4 t/ Y
mov cl,al. {$ h' P0 ]. ~ v
iret
( H- D9 b8 X. }& S t' ]8 Gint41handler ENDP6 |8 M: a+ q9 M1 ?* O# a) G
2 E, Z1 g8 N' D
% `* \5 L( e: K! p5 R+ i1 ?) M xor ax,ax
5 j' x+ k8 y5 p' M* \% X" U. h* r4 L8 ] mov es,ax
3 R+ `! P/ {; P. _9 ], C9 W+ ~ mov bx, cs
: x v( b8 P+ l6 y lea dx, int41handler
6 [$ n% A9 f, f5 v- |- c( v$ X xchg dx, es:[41h*4]
" P9 d% o' \3 A3 a. H! q8 b$ F xchg bx, es:[41h*4+2]4 f5 {* I8 L% f. W
in al, 40h$ X. |- f' A% p0 z- f5 t
xor cx,cx
# [* Q2 I d" t9 h2 L/ c* n- ]" S* N4 P2 ~ int 41h' c/ s6 ~) n4 t7 p
xchg dx, es:[41h*4]) s* t. I. W8 m& o0 A( [- ~
xchg bx, es:[41h*4+2]
; C' A* e& D; f% P0 b' h$ d cmp cl,al1 f' S! ^& y4 {- j
jnz SoftICE_detected8 t" h, M7 x" r* }7 C' ^
# _% f* G; g# D5 c- r* p" n_________________________________________________________________________
- f# F# I$ F1 Y v: x+ X* q" g: d0 u7 ^! E$ L( {; E+ C
Method 07- p) ^2 {) E8 R& V: p. q& t
=========. Z+ C, A/ K0 L7 I: D2 }! I3 K
% ?- z* {9 Q; E# t2 N
Method of detection of the WinICE handler in the int68h (V86)
# p7 ?5 a; B. n4 ~" h
9 t) Z% w+ @' ^: }0 |! | mov ah,43h
* `- e7 M& x7 @( F- {* m9 E int 68h
: _! c; d- H9 l0 ]6 c cmp ax,0F386h
7 ?3 C8 H: N6 v* J% H9 x- U' t: F# P jz SoftICE_Detected
( T9 c' r" _4 A
# @2 f; _9 P4 g) ^" z& g' t
9 |% b# k1 E: `2 z1 g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! h) b1 _/ Y! c k$ F6 ~) B
app like this:% c' {! C) c- z n
/ q) X `8 l, @. A$ R/ I! g
BPX exec_int if ax==68
, G4 y: |5 f+ J (function called is located at byte ptr [ebp+1Dh] and client eip is7 R$ t: h3 A5 t, i% j- d
located at [ebp+48h] for 32Bit apps)9 F/ }: q- v4 L
__________________________________________________________________________. }2 V' T. g) I1 p! F$ G0 B
; _: f+ ]0 Y# R2 j' q
4 M* o) N* ~6 p& \ i9 [Method 08
$ q. r0 b- n# z x9 x=========
4 I4 h( L: ^) x, Q: Y
" P" i4 u) @! Z- R% r! uIt is not a method of detection of SoftICE but a possibility to crash the
; T* U& s- `, ksystem by intercepting int 01h and int 03h and redirecting them to another0 G2 Z: p7 G. \& e
routine.$ m ^% U8 {6 J0 u: A( z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& F4 Z0 L. a4 n9 h% n* z* \/ `to the new routine to execute (hangs computer...)) ]8 ?9 l2 P, R
5 ^; W2 |4 J! U7 _ O# T
mov ah, 25h
# `- ]# q0 x: e9 [+ J9 t2 L& q mov al, Int_Number (01h or 03h) O2 w9 d) C0 u, T! C7 d8 ~
mov dx, offset New_Int_Routine
, X6 N4 a+ Y# V {" H& g int 21h5 @% a6 O5 `* M- R
& }. B( I! k* X, F$ y7 f__________________________________________________________________________" b. z6 r1 ]. [3 v7 A, u! t
9 X8 q$ {! w. D* K* FMethod 099 V; h b2 R3 ?7 N" {! F: \
=========
' Z: Z9 v) v, {) N
" K7 p& }* g" g% x, R" wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" t# f) Q$ W. F. W- M Aperformed in ring0 (VxD or a ring3 app using the VxdCall).
, s0 y3 Q. v+ i& w* f; R; n' DThe Get_DDB service is used to determine whether or not a VxD is installed
8 y5 ^1 z$ y8 L8 Z; F3 J9 xfor the specified device and returns a Device Description Block (in ecx) for9 ^2 Q- ?9 H$ w, G1 j
that device if it is installed. y3 F5 L2 ] D! ^# j+ V
4 D; W4 e0 s% s; G mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- L! P: U. f1 H2 i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. H' h, G* @- V, l5 h2 G VMMCall Get_DDB( S7 W8 j0 G" p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 N1 ^1 @* ~: I5 F
: m5 o# T0 v1 t9 K; @& M) a6 v' [Note as well that you can easily detect this method with SoftICE:
. i) o9 ~: ?1 l3 l bpx Get_DDB if ax==0202 || ax==7a5fh
1 E! p: @, G7 e5 [+ @8 `! U8 {: n# R- P' a3 Y; V
__________________________________________________________________________$ F& Y- g- P( Z3 x7 Z
+ ~: M2 }2 T; O. i' V& s
Method 10
- ~* K! J) t3 o9 j; z=========3 [3 T0 z) d+ A+ \/ t
5 |; d6 c3 b7 K: _' O
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: _- {( r$ G5 f7 H; V9 H SoftICE while the option is enable!!4 V$ E6 ~0 q5 [, a& |* j! l8 n
2 H; t( K/ D( R& Q
This trick is very efficient:
8 x! H8 a/ s: o% @by checking the Debug Registers, you can detect if SoftICE is loaded
! [ G- y( n4 q& f9 W; G. E+ |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ _- g \% X+ W$ S0 s
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 X9 C4 W- I( l
value (in ring0 only). Values can be manipulated and or changed as well. n7 h' y7 g+ V! _; w
(clearing BPMs for instance). D# k4 z# D. C$ E/ S
2 F0 }3 [2 d3 R: q9 \__________________________________________________________________________
! x6 E/ f4 h0 s* h; n( e( N2 V6 {' A1 m1 o) |% \. y$ W
Method 11+ p/ n: V' l2 g, d: k: V4 x9 @. ?6 Q
=========
! S; N H- k" z
! o, h, S8 a4 @) Q) m VThis method is most known as 'MeltICE' because it has been freely distributed3 X: Q! C; t3 g
via www.winfiles.com. However it was first used by NuMega people to allow
/ f: p9 D1 D) f, ~- Y1 wSymbol Loader to check if SoftICE was active or not (the code is located
0 Q m$ X& k5 O. Q5 {inside nmtrans.dll).
0 @( k8 _0 K4 R# H" M; m
3 a! _: R K; yThe way it works is very simple:
$ d j5 w9 U! M, K' ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& p& a0 A% _9 e$ g& CWinNT) with the CreateFileA API.- B- {' f) X2 U1 c L
% a( p. R4 o8 c, O. y& `' ZHere is a sample (checking for 'SICE'):3 [$ _) L [' y
6 x4 q% i! t3 B- c) u# _, ], U
BOOL IsSoftIce95Loaded()
% e6 d8 n( B/ Z, e9 a{6 N2 z( l# L% I9 H% K# R
HANDLE hFile; ' B {0 f ^. q& ^' k$ q7 A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 ?) C: a9 R0 _% {* A/ D6 j) h, p FILE_SHARE_READ | FILE_SHARE_WRITE,
7 }5 }" w! {9 e% t- r. K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 M/ O* I5 a: `& a# S% l2 a7 }( u [
if( hFile != INVALID_HANDLE_VALUE )
" w# k1 ], Q# k1 l1 c {
6 a: T( |6 C7 d Z i CloseHandle(hFile);7 R3 a4 ?1 E5 v7 n1 `6 E* p" C
return TRUE;
4 f2 U5 |7 k# j" Y }( R" [( ]7 S! e7 a& A
return FALSE;
8 U2 o. W1 D( |7 t}. r) K8 \' E, z7 R. Y, O
# ~$ l6 k8 K" p3 X6 G9 A# W- [
Although this trick calls the CreateFileA function, don't even expect to be2 v( |! C8 t/ Q; w# ~2 u9 w1 ^
able to intercept it by installing a IFS hook: it will not work, no way! p3 p; A+ |% P- N& h, k" t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. ]$ L7 [) N1 U: e6 I; h$ g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
Y: l4 ~- D- [+ D/ a# Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( R5 q% s1 i" c+ [" i, R* h4 Jfield.6 A8 _7 W T$ k% p5 y
In fact, its purpose is not to load/unload VxDs but only to send a
/ K& G! N8 D* B* U; r' ~: DW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 X' a$ j8 I7 E* p. M) }! w% y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 t2 Y, `9 o# k& a# e" m2 h5 nto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 R0 q& t* N$ l/ M4 I3 x
If the VxD is loaded, it will always clear eax and the Carry flag to allow) L6 T; k# Y- s9 i4 h, r, P
its handle to be opened and then, will be detected.
- Z s6 k( K5 c9 f6 bYou can check that simply by hooking Winice.exe control proc entry point+ F6 q$ _6 Q2 x
while running MeltICE.
' e! h* z% R+ S( f4 y, |1 j* ?) t
1 s! |4 W& f% \; Q3 A* R
( J R( q: c5 L) J5 Q8 U- ~6 p$ I9 y 00401067: push 00402025 ; \\.\SICE+ {: ?( J& G: p5 e
0040106C: call CreateFileA
! a; i, n, |2 r/ |2 f+ x 00401071: cmp eax,-0012 k; `; R+ S% z: n
00401074: je 00401091
9 Y! @4 _7 L3 J' k3 g$ @- B0 e7 L' m8 p/ e; K
# T) f! r/ ?7 w3 ~7 a [
There could be hundreds of BPX you could use to detect this trick.
* {, P6 q4 w7 V- g4 z( a-The most classical one is:0 `) k- @6 h% p* T5 J! a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ g t# c3 u1 `/ _% {7 N
*(esp->4+4)=='NTIC'+ I+ G" I( A2 L: e
" \$ I' _; e: W- l7 |+ m/ q
-The most exotic ones (could be very slooooow :-(
! v& {% V, G+ K* e* O. ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( u! P0 x2 H1 Y/ t D
;will break 3 times :-(
b F( P# n$ T( D
: O2 Z& H) M0 z% O2 ?-or (a bit) faster:
2 D1 g$ A) \5 S2 A, o3 A4 q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ v! N$ u& a+ E3 y, N$ s( I. l% p2 S- h4 H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , I, Y3 w* Q! p% H& k
;will break 3 times :-(1 e# C: {# |- }
) W" e% }9 U7 T* p
-Much faster:
% @- w5 E) L, m* x% L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 j7 F9 Y0 u9 {7 g9 X, M/ b5 A, N2 ^' M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! T' G n9 G( G" Ffunction to do the same job:
( x( @, P3 H, \- x3 ?
' Z+ z$ W/ g7 z& F, F; \ push 00 ; OF_READ
/ y% u5 M, i3 e* X/ p; |# u+ | mov eax,[00656634] ; '\\.\SICE',0
( L) r8 E- |; h. X push eax
9 s2 [1 f% w+ J call KERNEL32!_lopen) W3 ^/ r7 D% L% H
inc eax$ e% s A3 N, _3 M/ a
jnz 00650589 ; detected0 q: Y9 i& G; L1 R+ X J. j' W
push 00 ; OF_READ1 C5 U [. R2 Y0 [( i# X, W: X
mov eax,[00656638] ; '\\.\SICE'6 h( P9 {0 m% q% X
push eax
' G7 i" y- `9 s9 T6 {, R/ w+ T call KERNEL32!_lopen
- [! O0 e* o2 z ?5 {1 f inc eax
( ]' t3 r) n# Q- r2 B9 y jz 006505ae ; not detected: N/ k' V% g, G
$ t$ U- u0 G3 ?4 b0 B9 I
7 Y* M# t% s. N2 ~__________________________________________________________________________' m! {; C0 e1 F I% R, V
K, E& i& {9 @. R$ ~! f6 E" BMethod 12
9 y# w- F5 b! o( q& o6 _4 o=========
4 L1 ?: L0 Q1 R7 J6 X7 b
x' G9 e: i' U/ @: f- U9 _This trick is similar to int41h/4fh Debugger installation check (code 05
7 A, N9 Z8 Y, l$ }$ r# P1 ~: Q& 06) but very limited because it's only available for Win95/98 (not NT)- ^% c7 q0 d; E8 [! w1 p, S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: t7 c: v! s$ {' J# g3 G9 \" [ V
8 ]0 P6 n" V: F& F+ |3 z$ w
push 0000004fh ; function 4fh: p- {3 _: W' j+ ]+ N8 s# v
push 002a002ah ; high word specifies which VxD (VWIN32)* y+ y' r D/ v2 W
; low word specifies which service
- |5 Y$ T/ f+ K1 e6 V; z (VWIN32_Int41Dispatch)9 {+ w( D$ w, [% G) u- U
call Kernel32!ORD_001 ; VxdCall
0 q& p% W4 Z1 h: M cmp ax, 0f386h ; magic number returned by system debuggers
_! h4 k8 m7 c& ] | jz SoftICE_detected" I$ j N4 d) p# {# H: p
1 F4 o, w. n- r, q( }$ OHere again, several ways to detect it:' U) c7 b! J* I9 B- V! y' M
, h7 S Y; x# y8 U
BPINT 41 if ax==4f
3 X5 h6 e- d+ b* A8 c; h
4 E* O& q% ^3 \% j, U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) ~; V6 Z' D$ n+ e2 [! L$ k; [0 \* c$ u5 N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. Y9 S8 C2 l- a# y7 r" ?6 e
% P' w6 _! [- x5 A( u; {5 ? BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: d/ O* ]' ~' C/ x1 y4 k+ q
# ^* H* E* T# D. ]* \
__________________________________________________________________________
, M) t5 Z* B+ P2 ~, K# ?7 q* j1 Y1 U O8 m j
Method 13
4 z, K, z g `, Y9 y. L' s- ^=========" u* [' \& s1 o
* q* W3 _ G1 w8 {2 xNot a real method of detection, but a good way to know if SoftICE is
$ W! Y0 O U! K. d' A4 v! Zinstalled on a computer and to locate its installation directory.1 i$ f. w4 g! i! ^/ a
It is used by few softs which access the following registry keys (usually #2) :
8 b" ^5 @7 C( l. j% K' ?" @5 R
2 z: y8 F3 ]+ x& Q# }; K- P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" d2 j- N( H3 b$ i$ T! y1 ?
\Uninstall\SoftICE
' e0 q7 L; g! u2 c7 e" |& ?% v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( p( H, W4 q6 [' M; G9 [2 V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! t6 ^0 I, u; K: A
\App Paths\Loader32.Exe
" t8 t/ A2 F8 y* ?. V$ u0 ~6 G, U7 t5 Q: P! @0 T2 I
+ i% N, A, O9 X. f2 `5 q0 {. d1 H! U
Note that some nasty apps could then erase all files from SoftICE directory
$ I# ` w; b6 _" @- h2 `) k A(I faced that once :-(; i5 K$ _$ P+ s
" g; g! w' A' rUseful breakpoint to detect it:# b- `8 [7 d: I) G
- J# a! O5 N3 l# s5 ]3 b
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: j: g1 [1 V O! |( x- {% U
" t' O& N' @' U) E6 P__________________________________________________________________________
8 |. e) k( u W3 G/ b9 S1 V, f+ @9 Z) R: M
, u: o$ i3 T5 L# m. u/ Y& M5 c
Method 14
' l- F, `1 J/ K8 ^' F- \% O# L7 t, A=========
: L2 S. a. _" g a* ~
, @# q) f+ k, H& o, l! U) GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) ]: D7 k7 z x- w+ L# d' H
is to determines whether a debugger is running on your system (ring0 only)." m! y; d0 F+ T& {# D9 N& |0 ~/ e& K4 D
- Y8 h W# V( i5 W5 B* n3 [ VMMCall Test_Debug_Installed
5 S0 ]" E0 f; `; Z) n2 k je not_installed
\- ?# x! m9 O; e
' f7 |' W5 ^; L3 LThis service just checks a flag.) Z, @% W* J4 v$ Z1 [4 v% M: n* @3 N
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡