<TABLE width=500>
9 c" n. _3 Q$ H7 Y<TBODY>" [! e l9 Q. I
<TR>
( S) @& q X5 G8 H. j<TD><PRE>Method 01 / `3 F, }0 E: S* k& S/ p' v7 [
=========
9 G7 Y8 S' q/ `, c6 J8 L2 x
4 L8 \6 M, ^9 CThis method of detection of SoftICE (as well as the following one) is% ~# ~5 \, w5 C# Y) B6 b
used by the majority of packers/encryptors found on Internet.* Z7 Z; U p8 O' c- W
It seeks the signature of BoundsChecker in SoftICE
8 d. t* y$ W- e
6 V" s. {4 q1 W' W" O mov ebp, 04243484Bh ; 'BCHK'+ e) l4 E: ]# b" p
mov ax, 04h8 Z+ q# S5 g, i, d
int 3
1 E: T7 D( P! E; Q# E( }0 E4 N cmp al,4
2 ]# o$ I% J: X: x, w/ [ jnz SoftICE_Detected I0 ?4 q, V7 a7 s5 n; I$ A
# o% Y- T5 S4 h; i( A N___________________________________________________________________________
1 Q+ `% e% e2 G# b; {6 O& w: r$ l1 G
Method 02. x I( W, Z; `3 ]2 G7 l
=========
2 }! @+ D5 M( y! V) r/ a
- R) U) J; i* B/ `' E/ VStill a method very much used (perhaps the most frequent one). It is used, g2 f( p" ?* r. Q3 l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
N& L" p. ~1 D6 p7 F: e; \) }or execute SoftICE commands...- W1 a9 E) V0 k) T1 k: G
It is also used to crash SoftICE and to force it to execute any commands
: t2 E) ]# m5 x" i(HBOOT...) :-((
& t0 k$ v/ B V% x. i* G" f4 H1 C$ S6 n' b, C
Here is a quick description:1 _+ R$ R- H0 e, C* `
-AX = 0910h (Display string in SIce windows)$ M' b/ y+ _/ K) I, k/ h7 {: \
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' W: `* `+ L: J5 {) W-AX = 0912h (Get breakpoint infos), s% p3 O7 e' z" x) G, Q
-AX = 0913h (Set Sice breakpoints)/ I$ U, K0 h7 d% s$ f+ s7 D. g6 j
-AX = 0914h (Remove SIce breakoints)
+ L$ \* q6 B5 g" D1 v( r% t9 e
) l/ F5 \8 w$ A* x1 mEach time you'll meet this trick, you'll see:
) h; K6 U% s, L- X0 y/ K-SI = 4647h+ S4 z2 v4 m5 L0 ]+ w) l" o# D0 E
-DI = 4A4Dh9 @" H$ J! d3 Y6 q7 H4 [
Which are the 'magic values' used by SoftIce." X$ _' D, J0 F. S7 g9 _) U/ o- ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.( p* K: X6 q) x2 N
) E; l4 n% p( l0 h$ P( BHere is one example from the file "Haspinst.exe" which is the dongle HASP
; t; Y, g% E J3 J5 N: PEnvelope utility use to protect DOS applications:7 x! u4 I' I4 n) Y( r# D+ P% G! M. A
: ?4 b5 u, D. A. I, S+ X P" E8 x/ X3 H; j3 e$ ^ L0 h" W
4C19:0095 MOV AX,0911 ; execute command.
6 q; F/ ^- g$ u( X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). l$ h' T% Z* b, }+ x9 D, n
4C19:009A MOV SI,4647 ; 1st magic value.7 n9 [( K0 Y& w- C8 f
4C19:009D MOV DI,4A4D ; 2nd magic value.
) n$ t3 N9 j/ j- u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) A3 e& _/ W0 q$ b' w5 G! ^$ n( B) ~$ D# V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; X- q- G8 Y9 U. }4 V( [
4C19:00A4 INC CX
( Z+ Q: E9 _; Q( Y& c* `* \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 [# f! z9 j' h! H o* W7 m# W( q4C19:00A8 JB 0095 ; 6 different commands.
! m# Z# Z$ B* k3 M- P1 z" H8 W+ k4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 G8 Z: I( v" G' q$ g, ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 g; F4 s# p6 k- |2 z* b9 v
3 ^3 n0 ~* c) A$ q' x0 n% g
The program will execute 6 different SIce commands located at ds:dx, which
4 h7 B/ y- V' P7 M d9 hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ ?. i6 g& H+ m8 V
* i0 Z1 b% M% {' s0 z$ ]$ G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., a$ q8 f$ t7 D
___________________________________________________________________________- Z4 _# g) f6 i7 u4 v! s. M
" }/ y% j3 [* a. I+ F/ z1 ~
: B2 g; F- r$ R! C, \, j/ K" }0 jMethod 03
' R( r+ }& |4 S0 P( r/ b=========
7 N% o! z* \; _: R0 C9 v6 p1 y3 e! L' {/ G" i5 h. _( ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( U. x. N" P7 h; W+ P' A0 O( }; Z(API Get entry point)
3 X) Z" h; ~ }% y2 x4 u) ~
5 d1 c' d* E$ v$ X$ W
: u. P! y: @) B5 c! y xor di,di* f) T5 X. k- |6 ~9 q/ w1 X ^
mov es,di
+ |& y: t2 g' ]0 Q1 i" X" R- a5 b mov ax, 1684h $ ^4 e0 } d2 g- w2 x- u
mov bx, 0202h ; VxD ID of winice& n1 s$ S% y( Z) d$ N8 I
int 2Fh: F3 w0 f) _3 P9 g* w
mov ax, es ; ES:DI -> VxD API entry point
5 o! B T/ v6 _ add ax, di2 S: p. w R0 b; i0 E; R5 w
test ax,ax
/ d: P9 K8 E. m) O; m* Z0 E7 @ jnz SoftICE_Detected
7 D% {! a) @- }2 S, y$ C- a+ }' [1 s
___________________________________________________________________________) q+ g! R9 u/ S$ a. F
* ?& a1 l* F/ {' cMethod 04
0 V: [* J) c( p; D3 [- s9 i( b! P# z=========
* T. Y* V2 s4 s1 T5 m9 L/ Q+ T7 E p5 L) z3 \4 ^ L; I. _
Method identical to the preceding one except that it seeks the ID of SoftICE
$ J4 Q% g; g# }. ]- m9 m3 ^/ x( rGFX VxD.: k/ }$ z ^5 b- t
y# G$ E( X$ q! ` xor di,di
2 B2 K' b" h0 c$ [% x mov es,di
. [1 Z' k( ~/ O j- J+ K+ l3 | mov ax, 1684h 8 O+ r9 W" k& n( B# q
mov bx, 7a5Fh ; VxD ID of SIWVID
* b& ~% x0 P% t- U, F5 w1 k int 2fh
3 K" L' j* o: G6 G' K4 J; [ mov ax, es ; ES:DI -> VxD API entry point- ~4 }+ J$ |' a( _3 `% I
add ax, di# W9 Y7 g7 O3 j6 k) Y
test ax,ax( C1 B" A- p8 N; p9 o
jnz SoftICE_Detected
! T" q8 Y9 `5 ]. |- n) o% B% Y1 |+ |5 q2 Y. C# b1 }
__________________________________________________________________________
# }1 P8 W K# ]& j, [. T
1 `6 x5 Y' Z7 g( N7 f. R
# O2 X: a) b8 x7 O& ?Method 050 p5 _# s1 |. ~4 H7 D
=========
% c& q; p8 D3 u* o3 z1 E$ {- `3 b
q: O7 V/ f6 H* m9 L9 F- u+ zMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 F) V4 ?3 O6 `1 _! F: C) f$ o; R
debugger. It calls the int 41h, function 4Fh.8 W: ^$ w8 D0 ]( _) k1 d
There are several alternatives.
4 L* d, J/ T8 G$ e0 B& ?: e8 h+ M+ d3 S) `. ~/ H: f
The following one is the simplest:
" @2 n2 {8 e- E% f4 a
! I; w( ^% N, \4 \; Z, q mov ax,4fh
$ s0 }0 I# v0 S int 41h
' a, A" i- j! i6 J7 P9 Y cmp ax, 0F386
) e+ x2 G/ D7 e6 a9 t jz SoftICE_detected6 Q1 B6 Y$ ?# [. Q6 t: U* p
* I+ I! z( P( h- E. c, l
1 N5 J4 n) q+ G# y2 GNext method as well as the following one are 2 examples from Stone's * ?5 L% P- S' o" P, _/ e5 p
"stn-wid.zip" (www.cracking.net):8 l" Y) w1 n5 R) n; ]
" f% B K# F& v E: G mov bx, cs( r- R8 M& }/ F
lea dx, int41handler2
7 @4 ?% }7 w' B. v xchg dx, es:[41h*4]
m/ K$ l. S! @ xchg bx, es:[41h*4+2], `6 p! x/ M/ B1 R8 |/ [/ l
mov ax,4fh( x% T5 g3 w$ f/ y3 p
int 41h
: }3 n& o* C, E xchg dx, es:[41h*4]
4 e$ j0 r) g/ L xchg bx, es:[41h*4+2]; T" G5 i* W% W/ ]$ D* q2 ?( [ a
cmp ax, 0f386h# b5 w9 K! i* t8 L
jz SoftICE_detected
9 E( j" X. ]% E. t; r# S g) k% \ P& t) v" S+ X! K
int41handler2 PROC
2 [! q, e9 J @; Z. Y2 Z' g. Z iret' x. n# {; U: N' B1 D
int41handler2 ENDP
4 W0 c }' ~+ l
; p# H' g' d p" t2 K( n5 z9 n) h1 ]7 Z9 T& k/ P3 ]8 h$ y' u! p
_________________________________________________________________________9 E% T0 W5 l) _/ C
5 f9 q5 c. p* ?* v3 v8 g4 U! z; e9 Y9 S9 ?5 q) X
Method 06) v% K- } g2 o2 E$ A1 M
=========4 [) E* m! N* B( g4 V
9 d8 b% D" A: V. Z
1 t& g* Z: I& ?" E" d
2nd method similar to the preceding one but more difficult to detect:0 a. m! Y2 q( M. a) @1 l1 a
8 A7 W# c6 f7 ^7 V5 Y1 O2 C
: y8 w$ y- @' B; aint41handler PROC1 H$ h! v) W/ h( N' z$ m+ D
mov cl,al8 Y( j$ z8 E. Z+ s9 N
iret
6 E- z, P5 S" C) \int41handler ENDP
/ n; [5 D2 O, ?% i2 q6 @; d
9 X: x/ P6 \# \9 s0 L: X4 p; W8 \
) j8 `( x" g) S" C. v) x xor ax,ax: u& n3 W, O. [) N
mov es,ax
0 K" s# M+ U( s& q9 @! Y mov bx, cs* \) x! J9 Z1 K" F+ H" L
lea dx, int41handler5 X2 Q' S! ?# }
xchg dx, es:[41h*4] ]9 f& J1 [9 _8 N
xchg bx, es:[41h*4+2]
: ~" ~2 N- e! u4 P9 b! V3 \ g4 J in al, 40h8 `6 h' K2 P ~; _2 k( K2 s
xor cx,cx
/ S, I" e: K% }+ b$ _5 ^9 X3 E int 41h
4 c9 y! w3 {/ \4 C; f* l. Q+ Z" x0 y xchg dx, es:[41h*4]
$ G, ?1 O2 F7 i, o/ [/ q xchg bx, es:[41h*4+2]
p' K0 d" Y4 {. |/ V cmp cl,al
5 ~$ S2 {! U' N& Q jnz SoftICE_detected ~3 k5 n7 q" t. O5 x* [
7 {2 e, A" Z( \" h_________________________________________________________________________
& ] g4 B! o) ]7 O1 p6 b
* e. c% X$ s. [- mMethod 07
% B9 I% x- H4 F# B$ e=========
* x7 v( O- I3 K9 T' K& D* N1 f8 I/ ^/ |- d, L
Method of detection of the WinICE handler in the int68h (V86)
) O6 T+ A' K$ f0 ]) V" d$ N* d8 x- _; D
mov ah,43h
2 \, d" e6 ^/ ?( w$ g9 s# b/ i int 68h) F# i5 A) Q( c- f* u; f' n
cmp ax,0F386h0 E* r" C; _% s1 y6 c$ o
jz SoftICE_Detected
) F" ~% O* a( S& c/ A0 V7 d# a$ c2 K3 y j$ Y
7 A. ]+ i6 d0 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 \8 L7 g* S8 u0 A# c8 [* F app like this:
* |" K1 w) F% O6 v$ D# E5 y) v. Z4 v, `5 z2 S1 \+ d; O* h
BPX exec_int if ax==68, m( i3 \9 T8 j3 k, S4 a3 j& F
(function called is located at byte ptr [ebp+1Dh] and client eip is
" E2 M# m* k8 ^% p* u. D located at [ebp+48h] for 32Bit apps), `9 {) p/ u; R
__________________________________________________________________________ n' H4 i X8 o) `- r. y6 w7 I
% i+ Q5 a% R6 y& X* x/ K! f4 Q: x4 l
Method 087 z8 O8 W# u$ _; J6 H3 W
=========
# _- u, _; ^! m h, o
( c3 y! H9 O6 M9 S& r$ C# s5 cIt is not a method of detection of SoftICE but a possibility to crash the& j; z' [/ D) L: }' O! S
system by intercepting int 01h and int 03h and redirecting them to another
G ?2 [. @: Y( ~routine.
' z( a k5 O. Q7 @" S8 s7 uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 ?* L9 [) ?% o, yto the new routine to execute (hangs computer...)8 C0 H# {0 E. x8 S
6 Z H/ O$ r: ~* ]
mov ah, 25h
* o) T% S2 d7 J6 X0 I/ ^ mov al, Int_Number (01h or 03h)
2 `/ l- Z+ n) Z5 U, ^; K+ E* D mov dx, offset New_Int_Routine
- h6 ?+ w* B( X/ k int 21h
. p" V6 ^) E2 @3 [$ `
$ m: I. h6 r* E__________________________________________________________________________
' ^) R, I7 Y8 A8 y/ K( s3 c# y9 {1 h; G2 e2 Q
Method 09- w, C+ I6 [9 m( L1 u
=========
5 k5 q' p5 w" ^' ^. Y' O
& g p% `. |9 GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, ~+ f( H' N5 Tperformed in ring0 (VxD or a ring3 app using the VxdCall).$ E" ]" }- J* g# M" f' N/ H" S" Y7 K
The Get_DDB service is used to determine whether or not a VxD is installed% x4 R9 g/ Y7 P, P
for the specified device and returns a Device Description Block (in ecx) for
+ p5 W1 f+ C! q" h0 J7 D, wthat device if it is installed.
9 t. p6 t( J1 f+ Q1 x, k, L, ~4 W$ [+ N9 {6 x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; G5 x9 c: a' X2 |; D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; f; q' ?0 ?; U* a# W9 ?4 t2 H VMMCall Get_DDB
' j' m3 u) y) H$ Z) N! v0 K' n mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: t( e/ d2 h% i3 K8 h$ F$ f8 i6 t% O) ^9 _1 ]
Note as well that you can easily detect this method with SoftICE:
6 A5 \! t J# `% `& a bpx Get_DDB if ax==0202 || ax==7a5fh
- P6 |6 B7 d/ ?7 Q
, k7 n' t* ?0 W3 A7 U4 o4 B__________________________________________________________________________
) E/ _/ Z9 X8 Q
2 w2 }% f% ^+ Q2 u! XMethod 10- s+ X# m9 N3 o/ c+ f8 O
=========
\& m3 E: H0 t- J6 b" Y: B) V) {: N' x1 g: V" c
=>Disable or clear breakpoints before using this feature. DO NOT trace with. P4 y0 ^* \: ~1 B( B. r6 ]
SoftICE while the option is enable!!3 T) U, e A/ `& z' Y
$ U% s7 X* j- W6 ]0 D0 zThis trick is very efficient:
f( t. ]2 a8 w+ P6 tby checking the Debug Registers, you can detect if SoftICE is loaded
/ \3 ]) `7 l: s0 o: N1 o! B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 B6 U; h4 ^5 M4 P
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( Z+ C2 u* f) C, I$ [value (in ring0 only). Values can be manipulated and or changed as well- r: t& q- S+ N9 @9 \0 O
(clearing BPMs for instance)2 m: O8 d" g/ v8 S3 S
4 [' Q/ F- i) L( _, D__________________________________________________________________________7 }7 ?7 c$ p$ r6 B
3 p# Y( P2 v% h1 sMethod 11% p* Q1 J9 d4 h2 T
=========
/ w0 {' M! w( i4 ?" f1 s: y. M4 a& g- W: C1 ]' t
This method is most known as 'MeltICE' because it has been freely distributed- E% K! S" |# {6 ?0 p O5 |
via www.winfiles.com. However it was first used by NuMega people to allow9 N; \+ b: q* _' v
Symbol Loader to check if SoftICE was active or not (the code is located
+ J- R' ?, G. v, Finside nmtrans.dll).: Q2 ]/ y8 x2 e4 t5 P9 F
! i# f) `, s- g; r8 }
The way it works is very simple:) @/ W( ?) @# x+ j% h, C, x( {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. y, z* z0 g8 _9 DWinNT) with the CreateFileA API.4 y3 ~* a- B" s8 z$ E7 m/ w
5 ~, {$ C1 y" p" k! ^1 k# Z3 [, gHere is a sample (checking for 'SICE'):1 X. f k j7 J# h9 E9 m' q+ s
9 n2 c7 q9 u& K# sBOOL IsSoftIce95Loaded(); N1 C7 x9 K! @4 f( @7 X. ^2 D
{
8 m0 Q q) Q- D% i( { HANDLE hFile; & |/ m6 h; h, ]5 Z0 O$ c# n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 M; r) t- m" w% @% m2 U( f FILE_SHARE_READ | FILE_SHARE_WRITE,% [) N7 B. M- f O$ c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( Q' J! X! o' H/ f% s3 k/ W! y- x if( hFile != INVALID_HANDLE_VALUE )
6 j4 }7 x/ y0 C6 i {
) ~ _/ P$ X/ G" ?+ n' P4 B CloseHandle(hFile);
! W8 C% Q0 p2 I/ h return TRUE;# G6 j$ o p' i
}4 b( P% s/ _) G% P
return FALSE;0 b: g* i4 q3 {/ F& y2 G( ^
}
' ^+ b9 d1 r' L
1 X1 A$ m5 y1 kAlthough this trick calls the CreateFileA function, don't even expect to be
9 [( U2 X# ^( R7 T; I# |able to intercept it by installing a IFS hook: it will not work, no way!" A7 ]7 e/ N6 o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 N" F7 N5 }" N8 W& m& s* o
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! }9 w9 t4 {) Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
* b" V5 k% W+ i0 U: ^field.
@# N$ e ~* S( AIn fact, its purpose is not to load/unload VxDs but only to send a
& Z$ k E0 V0 m6 l2 nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 a" w: f& W# s7 ~1 zto the VxD Control_Dispatch proc (how the hell a shareware soft could try, Z& |4 p) X, k, C9 ]
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 ?6 c/ F; z0 }) dIf the VxD is loaded, it will always clear eax and the Carry flag to allow
* B/ E* o8 y3 z% aits handle to be opened and then, will be detected.
5 ?/ j$ {2 G" A8 G$ A2 r# [You can check that simply by hooking Winice.exe control proc entry point
: W& U( H' U! W' ?6 Qwhile running MeltICE.4 d, | o# }) A4 Q) d: x8 |; {. `
, S. m2 x) G( \- y# h
3 E; r3 [2 C2 o3 x5 D' t6 q8 p5 D
00401067: push 00402025 ; \\.\SICE
5 l. w8 F, e7 {2 ^0 A5 |0 F 0040106C: call CreateFileA) B: ?- W% U/ U" ~* }% _# X& }1 ?
00401071: cmp eax,-001
6 T) h- ~7 w& w0 R 00401074: je 00401091
2 k: W4 B: i) j) r3 }
! n* H) i: [0 L4 ~% O- X/ |
8 ^& X1 L- y4 R: ?. s7 Q% GThere could be hundreds of BPX you could use to detect this trick.
& z4 ~+ V4 F' X0 h-The most classical one is:" R3 p6 ?5 ^4 w7 @5 b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 Q5 Q( i; d( \" ~, P" x" S+ v
*(esp->4+4)=='NTIC'* U7 f! V$ M- a: f
# g1 j: }! y6 n8 D
-The most exotic ones (could be very slooooow :-(
' i0 l5 J9 e6 B8 ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " Y( x4 \1 I3 S4 E$ J2 h: ?
;will break 3 times :-(
9 Z. \( y1 c, @7 h# [$ B' M! N/ s
-or (a bit) faster: M" M; @+ b0 q( g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* q9 D8 T b# @4 y/ `7 R/ y% {0 F' d K1 N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
c' }2 `8 C# G8 u0 S8 H% M# t ;will break 3 times :-(; r+ D' q) B9 }; H8 Y! D0 i. E8 `8 D
+ q. e" O6 C4 v/ ^# X/ `
-Much faster:. U6 H5 e$ ?( x% P0 c
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( F" `7 y, f9 q! [8 t/ B* `) t/ c+ W' ^( r a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* K0 V/ C/ R1 q C2 ofunction to do the same job:
: L I& Y1 V' v! t8 o8 x( I9 C: @, i+ D' y3 Y. u7 R6 T1 A
push 00 ; OF_READ
8 T8 i5 [: M2 P5 Z, W* o5 T mov eax,[00656634] ; '\\.\SICE',0" |! r9 A0 |' l! L+ b1 w
push eax
7 `1 j' J* J3 F1 z5 g call KERNEL32!_lopen
1 K) q9 f3 B" y8 U6 W inc eax
/ g" x; m/ g, j6 _8 d9 s jnz 00650589 ; detected) `& ]) O. }) A0 Y/ o9 H
push 00 ; OF_READ, a! S) @* \1 o, F& m& E2 m
mov eax,[00656638] ; '\\.\SICE') |4 \) K3 [" Z# G. U
push eax
1 }8 @9 {# g, a call KERNEL32!_lopen
0 e" X- C8 x( k/ f: W3 Q inc eax) z7 y1 L' s, ~: @4 ?5 x
jz 006505ae ; not detected
! q. w, s1 s* e
5 W( P b/ ], m2 k9 q# P5 s9 I5 J& `% x1 S% V% J
__________________________________________________________________________
; d+ |% F. e7 G- p& `. \" z6 y: d4 D6 z6 y& D6 a* v+ Y; a# {4 D
Method 12
+ I- a2 n- m4 j) C1 P0 C=========
+ w. |$ L; r3 \6 D" ?' q; \1 `7 H% W* R. A* F
This trick is similar to int41h/4fh Debugger installation check (code 056 c$ d4 @3 J/ t* U; N- U4 ] X
& 06) but very limited because it's only available for Win95/98 (not NT)
$ }6 }6 A/ _3 e. ` Q: e z8 _! sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ J4 B& a+ x) G
) D' m3 o2 V& z( p push 0000004fh ; function 4fh
" X# s4 x8 j# I( s& x2 v( d push 002a002ah ; high word specifies which VxD (VWIN32)
$ |, s; Q3 L' `0 h ; low word specifies which service- G, H3 h9 R' S; n
(VWIN32_Int41Dispatch)6 w! e) R! V+ ]
call Kernel32!ORD_001 ; VxdCall6 s2 w& v7 N. T5 A; _; T
cmp ax, 0f386h ; magic number returned by system debuggers+ l) {% f: b; O' q# @
jz SoftICE_detected
0 Y' W# M. v* z( W# G7 ?2 T
8 o6 R, p+ L7 v YHere again, several ways to detect it:
& t! C' [. K& k5 c. A( E! ]& U' C! M- y7 B
BPINT 41 if ax==4f( u7 `+ k6 D1 E& h0 Z- b& u
! N$ U' X2 y( S! Q, s$ B
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) J: c3 C* w, C `, E! Y- u- v% X2 C1 f1 `8 Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 E6 R* G# W+ F% R) s3 i
- e& B+ j# [8 ^4 D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" z1 K4 o- Y6 J: ?* C/ Z
* _2 R0 H8 T/ q1 z+ B, c__________________________________________________________________________
- i* \( R) I- r0 k# z) X" |; F/ L5 Z) }
Method 13
}# B1 g$ [' @' T=========8 X9 z0 \: |* y
, L3 ~# O5 Z" X3 s; i+ E+ jNot a real method of detection, but a good way to know if SoftICE is
# ^8 b; J# @! `* Zinstalled on a computer and to locate its installation directory.
9 [$ ~& ]: v* n' T0 u x- |It is used by few softs which access the following registry keys (usually #2) :5 `' C; [6 A; b5 p
9 @6 q) Z7 ?7 s7 e7 @3 Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ s' p$ ^: ~4 g+ Z5 B' b3 o
\Uninstall\SoftICE' D( |' b3 y8 K4 M" ^$ A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& |# e! l" R. H: ]4 ~, s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% S' n1 D; @4 d* T8 K& `% r9 X3 N4 K\App Paths\Loader32.Exe
! t9 A9 ?9 ^9 E n
6 c4 s4 P' L( d$ M8 {1 H. A7 [8 p9 j( n/ e* m4 W
Note that some nasty apps could then erase all files from SoftICE directory
/ ?& F U# S5 D& R% e(I faced that once :-(
$ C* @ d }4 q5 o& D6 t. v+ u
3 e' s" R. \6 cUseful breakpoint to detect it:1 g: V Z- i. ^9 }1 `' I. Q
2 c9 f& u( H2 ^' p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. J4 n' R; B$ W8 W {$ Q" l. _: N3 c# g! W0 q4 {) M
__________________________________________________________________________3 e' q2 i+ Z8 V
( a8 q; m1 i1 B# l
" M' I2 q* @* F/ Y/ C8 M
Method 14 ; h/ b( A' B5 H
=========2 I+ J' \" E9 k3 r8 Y
9 B: Q; E @, D# p6 l! Y( |2 f) E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 q# Y7 }5 ~ H6 Y0 O4 ~is to determines whether a debugger is running on your system (ring0 only).
0 M. Z% M, A0 S4 [) x1 Q9 d& g; ^
' L% F" ^- k) y0 Y2 j3 e# R- d: U VMMCall Test_Debug_Installed
7 r" y; [% t, [; b. n# ~0 ~' q je not_installed
8 M1 c- z" ]' Z4 E! V4 c+ n
3 U9 |9 J& N+ b) y3 P) aThis service just checks a flag.1 f6 R) `1 d; |- n( v% B- I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡