<TABLE width=500>0 ^2 o0 P5 J. ?
<TBODY>
|' m9 z! T1 N) f4 B& e1 Q# T<TR>
$ e1 l1 W4 O/ b<TD><PRE>Method 01 $ c+ T8 D2 P4 E% D! y/ G3 l
=========8 b, @0 i9 `! d7 w6 X& b
& r, m) ~& Y: E" W- T/ R& pThis method of detection of SoftICE (as well as the following one) is
( R3 ^0 O. ]4 y2 h$ }# N5 Lused by the majority of packers/encryptors found on Internet.' {2 |$ ?( l+ h j
It seeks the signature of BoundsChecker in SoftICE
+ H, V; F3 ]0 @# q h; M6 E6 o% G5 g$ y) E
mov ebp, 04243484Bh ; 'BCHK'; v2 M* y- y$ n( N2 n
mov ax, 04h
6 r; y, Y/ r i8 k int 3
. [$ K/ I* y3 a cmp al,4
$ J9 R. R, j7 n$ M4 D; n jnz SoftICE_Detected+ Y8 H- d9 k' _: w! p Q
- ^# s; ?% ^2 n
___________________________________________________________________________
, i B/ F- b7 ]$ j4 T5 b
. C9 `- p" t7 [1 f/ i- WMethod 02
+ m p% t5 ^. {: z: D$ t=========
( C, Y" n5 w5 j! x2 V5 k6 ?8 V' W# a
( o/ j+ q& J) L& S' d- AStill a method very much used (perhaps the most frequent one). It is used6 w* f0 L h P0 |; d# P! N1 ~
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( \! b' c8 k0 C& {, }3 B
or execute SoftICE commands...+ K" U0 u# W" ^, s" b
It is also used to crash SoftICE and to force it to execute any commands: v& ~' k7 @2 G7 }7 Z
(HBOOT...) :-((
+ C" g$ q) Y% j( n' u6 s5 M. n2 @: v: `1 Y
Here is a quick description: {: y/ X9 W' y8 |0 v# D
-AX = 0910h (Display string in SIce windows)- e! m0 U+ `0 K5 [/ a& K; `: ]1 v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' |* ]( G8 r8 I c, q" R$ U-AX = 0912h (Get breakpoint infos)
7 h& Z! P) Z0 o8 } f- k-AX = 0913h (Set Sice breakpoints)
, R5 u, c( G) v* x5 l, @4 Y-AX = 0914h (Remove SIce breakoints)! P+ W; x' w* Q6 q x. S# Y8 C
1 }* o0 H, P$ m: w' t/ ~5 d5 b
Each time you'll meet this trick, you'll see:
( I# \3 d' `9 r" O6 x% r-SI = 4647h
2 [3 z! c( w; y) Z5 m4 @1 x- {, e-DI = 4A4Dh
7 v; ?1 R* K B# T2 iWhich are the 'magic values' used by SoftIce.2 ~. o- g* `5 s: X2 U* A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 l6 y) Y [- S' E
* R! }: `& O- q* J0 ~4 a& ~( LHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ o5 a: K y- x4 Q; p0 PEnvelope utility use to protect DOS applications:
& J( G# ]) ~3 E d& d# u5 i# `+ N& D: Y: \6 X: f! G
! k5 c B# I1 F8 E4C19:0095 MOV AX,0911 ; execute command.# G; x" i- K3 I7 T% K: v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& v" z+ f3 d' @. {+ t( B0 l8 d4C19:009A MOV SI,4647 ; 1st magic value.
0 a# E) z/ l: P9 I' L5 q3 N# g0 @6 K4C19:009D MOV DI,4A4D ; 2nd magic value.
$ R( S4 M8 A2 |; |6 M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 J2 x* ?* D# w& w2 D W9 `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, y7 j; e" z# j. R7 h" d. Z" _$ o
4C19:00A4 INC CX8 v# S2 F: w5 K( z6 b! \' X$ C
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' o& ~$ B: U& R( F3 a+ I& s4C19:00A8 JB 0095 ; 6 different commands.
: F0 W1 F- ~5 X; I9 `1 `) g; }4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& P5 M5 V+ S) u' }: T( Y1 }4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% |4 E- H; D* f* g4 A% r
2 E! s. g6 n5 LThe program will execute 6 different SIce commands located at ds:dx, which3 c' K- L+ b0 ?; E
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
c6 a* S+ D8 D" m! ]9 t% l, G2 L
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( a% S# g; B; I/ V7 R___________________________________________________________________________) Y0 N& B/ w* J/ b! x1 `0 w
$ W% Z* m; ~ b/ V0 ~8 ~' l8 f; z+ o' k8 q, ]0 _0 I- K9 ~. B5 v
Method 03/ D/ S- g# S/ J# ]4 J% l$ M6 S
=========6 ]- M" `' H- a7 h5 P7 z1 @
/ D( ], E% P8 F/ C4 M: {" j/ L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, T6 t. x8 V% s1 E(API Get entry point)
: q1 Q1 K/ W( C# q
. Y2 V4 Z2 Z9 W- J, _/ Q0 g
: x0 S7 T- @& b7 Z9 Y2 [# X# G7 a xor di,di; |6 K; \7 s0 Z6 v- h( n+ _( |
mov es,di
2 g0 v/ s4 D$ E( I mov ax, 1684h 9 E% X. V( T3 w1 m6 X0 W9 `4 _
mov bx, 0202h ; VxD ID of winice' k3 _1 J5 I3 j, \5 Y/ [3 s
int 2Fh
" _ Z7 p) M8 t2 t' b- Y* |* B3 b! p* j mov ax, es ; ES:DI -> VxD API entry point
0 w) j6 ^. V# W add ax, di8 M. D" E6 b6 @
test ax,ax* t# G$ V. `7 M) Y" O- n- f+ q
jnz SoftICE_Detected2 O3 o+ f" v. X4 D+ a
) }6 F* d$ P; A* D0 G% i" c8 e
___________________________________________________________________________
$ [4 ~, o+ Z$ u7 V: |3 h8 ~) K( Y# b K# H& Z D2 x$ y3 [
Method 04/ Z4 W6 t$ V: D# g: v/ t: m0 |9 }
=========
; L/ l. Y# r! o8 H3 r! K
% r- d) x1 U) q; n, FMethod identical to the preceding one except that it seeks the ID of SoftICE1 V, \# f! }% s# N9 R7 E* k; o
GFX VxD.
0 v' S* y# J* r8 a6 F, I3 Q$ @3 ~. ]9 c0 M, h. _
xor di,di, C4 }- F7 m8 H* y8 t' L2 v
mov es,di
4 e$ r4 U9 u: _, g- X H- j mov ax, 1684h
1 V( }5 [4 [- f9 Y) p* X$ C mov bx, 7a5Fh ; VxD ID of SIWVID7 k0 q, b' G+ Y- _/ T' c) w D
int 2fh
: p; c9 \5 `9 c- |1 l7 k mov ax, es ; ES:DI -> VxD API entry point: Y; Q0 a7 }) Z. r v# G) f7 t
add ax, di
) C. B- l# v* {1 a; t; |1 {4 | test ax,ax+ P; N. }5 d& d4 |% L
jnz SoftICE_Detected
% e& A0 K7 ^% a0 R1 K! d! h" |3 H
__________________________________________________________________________
1 l3 a2 k* |. ^+ ^/ N0 {" P* [, y
, B n2 h+ L! \9 W0 `
3 K z1 Z9 W( V! TMethod 05! {3 y/ G |& e4 S2 L m8 Y4 A) M
=========
/ w5 J0 q3 {- E" _/ E
1 k1 E0 C. J6 wMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, N5 u& D i4 r: ydebugger. It calls the int 41h, function 4Fh.8 {1 [; R: K4 M
There are several alternatives. - K; I( B2 M( [8 O
. |8 i- f6 c" v7 c$ Q' L" qThe following one is the simplest:
8 x" ]- I, f& k2 `7 V: Q! a' J( [5 e. @
mov ax,4fh/ T6 h. _( Q9 g4 [ W5 P) w! L' P8 \
int 41h
4 O5 q7 j" O! c4 {% u cmp ax, 0F3867 j7 V: a/ u' n0 q" C' z
jz SoftICE_detected
" r0 e J1 L) d0 e" w
1 Q+ H/ S% ]6 ]2 D. Q! s6 z' W$ _6 T2 Y7 K! G( X7 R
Next method as well as the following one are 2 examples from Stone's ! E' P# H, l; p" g5 Y5 O2 V; h
"stn-wid.zip" (www.cracking.net):
" d7 A2 u. R; v' q) ^8 G. ]8 ~1 Z/ V d; @1 M. v/ p
mov bx, cs
% J( A6 Y. ^7 l K7 H% ~) \! G lea dx, int41handler2- j" M x* T! N1 Y
xchg dx, es:[41h*4]1 z1 l+ p* E0 N% ^" o! L2 R
xchg bx, es:[41h*4+2]
& @: `( M% n; M6 \6 M mov ax,4fh
+ J- ?5 W8 t! |% a7 a% W$ J, A; u int 41h/ e6 A& T1 w# |
xchg dx, es:[41h*4]: u2 ~- y0 z: T5 ]; l1 |7 j+ s
xchg bx, es:[41h*4+2]" V2 w4 }) a! T0 z" w
cmp ax, 0f386h4 f1 ?8 D# p7 J' {! O
jz SoftICE_detected
+ k7 ~$ f* ~2 n5 e. }$ h9 e9 G1 i/ C: V3 j
int41handler2 PROC4 R/ b0 C* \* F5 {3 H
iret
) V. I6 v M% m1 jint41handler2 ENDP) d' D) L6 _* V3 u8 R; g" K
- i) Q" o0 r; @! r& I' Y2 J6 T6 p; Y* V) n6 i9 K
_________________________________________________________________________
+ {* ?) |6 V. c0 |; e- f t( U- {" u x, r- o# v! S
: s! O T- T, V8 J, d# cMethod 06% N6 L# ^8 J+ ?& \
=========
9 |' P: {" k( r* z V
5 f/ K, W3 i: h! R# k
$ q! d+ w$ N5 P3 V2nd method similar to the preceding one but more difficult to detect:
1 V" a# ]* \* `% z* g. l
; ]6 s$ U! ~, j. G7 m, \" y. }6 Y2 Y6 O. M+ j# J
int41handler PROC
* Q+ n5 G5 Z5 @. h6 m8 J l mov cl,al
! A' N" e' Q$ J iret
' K# o* e+ ~4 N" f1 ?+ Eint41handler ENDP
! l! E( X' x* g$ b4 o8 K" N
4 M* ~# P; R8 {& ]3 L9 r7 H7 v* y$ t* U# f: |3 k- [: ^) r
xor ax,ax
8 J5 Q6 \5 J* Z" O mov es,ax
0 J# N0 D2 C J9 W4 Y* q I( y mov bx, cs( E5 W3 D0 o$ m
lea dx, int41handler
5 A. M1 C- T) J9 w8 A' i xchg dx, es:[41h*4]
& M2 S! p5 }+ X2 j" E3 h+ o& [ xchg bx, es:[41h*4+2]+ _; S W% F1 A( f
in al, 40h
/ C7 s% @* k. u3 m7 U+ e xor cx,cx
! g9 J0 q6 t a; [4 m ?# n int 41h" M* Z2 g+ U3 l% o! b
xchg dx, es:[41h*4]; s6 g$ M2 T1 V/ Z) Z* `
xchg bx, es:[41h*4+2]
! N/ J7 i! o+ |3 O8 d' h4 O cmp cl,al) x1 p/ f s. y
jnz SoftICE_detected: N7 F6 m8 o8 g. A. u7 n0 X! D; s+ g
! q4 ~3 f( _+ ?. d
_________________________________________________________________________
1 J, G' U, k- {% a) Y4 k
9 v. k( g6 ~# }1 f1 | s: kMethod 07- o+ w O7 `5 e3 Q# W
=========& S: _7 l# {: H& K* y
6 X/ Z4 M( F. j
Method of detection of the WinICE handler in the int68h (V86)1 S. l' z/ }7 n+ P; n
; O0 b; l7 N6 I& `
mov ah,43h7 t! K7 a2 x% J9 N' T, l4 L
int 68h
* Z3 [! O$ x& O5 r; W cmp ax,0F386h/ R: u7 a1 T. E1 J9 `
jz SoftICE_Detected
1 P5 ]! J" ]1 u
0 |. a+ B+ g4 u( Z3 F: c$ ~) Y! f/ [/ N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& a+ h, F5 V. m) G app like this:
4 i( R# \' w/ A0 @/ e7 N2 z
" N4 ]% q: V: o BPX exec_int if ax==685 R* J: z' U2 B" m5 U4 h F8 v' h
(function called is located at byte ptr [ebp+1Dh] and client eip is" K; q9 ?; q, v) q9 N/ \
located at [ebp+48h] for 32Bit apps)9 b7 K! a! j1 T
__________________________________________________________________________3 N2 U9 \2 [: P2 W
* B+ |/ l. V1 S6 I. t5 m( K" Z7 R ^5 V1 |
Method 08 j6 w' N1 R" k1 R4 w! c$ t
=========, q9 X" h* n- b6 ^" G6 z
7 ^" k. ^4 r8 g! M0 c, JIt is not a method of detection of SoftICE but a possibility to crash the
2 L# ?& S/ D' W, Q) xsystem by intercepting int 01h and int 03h and redirecting them to another& J; T7 j8 ?& A. W& t9 ], S
routine.
" ~$ D/ O6 W2 w! g2 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* a. }9 B `! y3 G5 qto the new routine to execute (hangs computer...)
2 m- _3 A/ Q. ]
' Z. J( ~( P F3 O5 @7 B mov ah, 25h
- v! j p, g4 \. |. } mov al, Int_Number (01h or 03h)
5 c' Q1 ?2 P; |$ q$ ?7 G8 G mov dx, offset New_Int_Routine
! N& T/ P; ?2 s' h. J int 21h& |' P ?* g; Q% o! n# H
3 n; Q4 B5 Q: A* i/ O1 n
__________________________________________________________________________
0 t' i% o$ X* D: e1 g; Z
* n' @7 p) C" t: i2 IMethod 09
* x U: R$ B0 k5 w. I=========
2 H9 e1 x" {, J D! ]; q/ x# g, |) V; r! o* H% y: k5 n- A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ a+ v# p) N# Tperformed in ring0 (VxD or a ring3 app using the VxdCall)." L$ m4 R$ {- Q/ E6 f
The Get_DDB service is used to determine whether or not a VxD is installed. U p) l2 H! F$ X- Z+ O% K' e# S
for the specified device and returns a Device Description Block (in ecx) for
% o* g7 h( ^$ x+ _1 Dthat device if it is installed.6 v/ G1 ^( _- b% y/ I$ @* B
1 d2 Z1 Y( }2 W9 @0 N* K2 Z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( c8 c2 A: q! ?3 c+ T5 |+ i) @7 Z2 ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 V" H: M* }( y, V, f: L# m
VMMCall Get_DDB. n, o6 Z4 D0 e2 G% S2 q6 l, ~0 ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 c1 }' `2 ? s( _
0 g# C+ d8 Y5 Z B1 q1 C
Note as well that you can easily detect this method with SoftICE:
- N' s5 ~/ M( N bpx Get_DDB if ax==0202 || ax==7a5fh
6 z( A* D0 L0 Q; }' [8 W4 b, J7 \$ G; B* R2 L) ]
__________________________________________________________________________5 ~. L& p5 a/ c+ y% @
9 u& X9 x$ E3 ZMethod 10
3 {! j' H- B5 r: V+ b! \=========
' b& s7 ~# V& \' J. `+ J n/ s5 T& g. K1 h9 G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# l& m: o8 L W: R! k4 _+ V SoftICE while the option is enable!!
$ P7 m, l7 j9 X: X: G% v/ j1 d
This trick is very efficient:/ s8 x; D* l6 |# E$ u- n) Q( V
by checking the Debug Registers, you can detect if SoftICE is loaded8 g) M5 V' o- m4 X8 _: [3 w6 V- n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! e& T. \: t7 E3 { i2 G! s: U) i) ethere are some memory breakpoints set (dr0 to dr3) simply by reading their- r$ g8 {, i! t9 K0 B
value (in ring0 only). Values can be manipulated and or changed as well0 `7 W# G- W' U: x7 ?
(clearing BPMs for instance)
( A% U9 r) j6 c1 F g) V* v. @, I) }9 A
__________________________________________________________________________+ V8 F& v: ]! x
: v& b7 h6 S+ M i0 I, `
Method 11
* y/ b1 ]" M. k$ ~3 F% f! ?' R) O=========# s5 G) l+ z X$ ?$ k! D5 p
& d: X1 H0 s& B* `
This method is most known as 'MeltICE' because it has been freely distributed5 i3 H. F, o2 ?% s2 X
via www.winfiles.com. However it was first used by NuMega people to allow, y. n6 Z3 T, z/ y0 V
Symbol Loader to check if SoftICE was active or not (the code is located0 [; X1 D! d$ R# Q+ t2 C+ {% Y
inside nmtrans.dll).! u. N6 ^ h9 p. O
$ v- j) `/ b' T! c. q* K
The way it works is very simple:( d+ k3 r# u7 p3 }5 a1 m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" s1 s2 X1 o3 Q1 Q% A+ P# }
WinNT) with the CreateFileA API.
0 z$ s% Q6 y' q0 G8 I9 j$ k! P( O/ z
4 }$ e) c& V8 }: f3 V2 J5 ZHere is a sample (checking for 'SICE'):
3 R) Q- C, v0 h) U+ h" J$ I- c6 d1 a g
BOOL IsSoftIce95Loaded()
; b/ I9 \- k6 I0 z9 E/ P: Y{8 ~! v$ I x' S" B' o, h
HANDLE hFile; 0 Q; [8 h! `4 c8 k( f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% X/ C0 H( l6 I. i! L1 S FILE_SHARE_READ | FILE_SHARE_WRITE,
& v! T' H0 T! \3 Z1 [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) v5 F R: p0 s0 a0 Q+ l
if( hFile != INVALID_HANDLE_VALUE )- Z* z0 f L0 F0 H+ u: m
{
0 Q2 u/ Q; E( Z: B7 Z CloseHandle(hFile);' P* N- _' X& Q
return TRUE;
2 K7 X" b" L6 h- e/ } }
x) _) Q9 Q1 u return FALSE;
j4 i1 v' h+ _( t9 L$ Z( F}
5 [8 P' M2 Q- f/ K( J
m9 b2 J4 k) S7 C. v: @9 e# DAlthough this trick calls the CreateFileA function, don't even expect to be$ ~; n% y% u0 z6 Y) [
able to intercept it by installing a IFS hook: it will not work, no way!* B/ w; `$ J* Q8 W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' X; R8 e& w( b, j# b$ d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 ~9 r i1 ~. ~) R+ Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
s* M0 V* \( k2 @field.
) J2 _; n+ A, qIn fact, its purpose is not to load/unload VxDs but only to send a
W* T$ J* |- m* QW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ A/ x8 C5 c; |to the VxD Control_Dispatch proc (how the hell a shareware soft could try; P( |- A( e7 o0 D- k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* @, F, g" e5 F( `$ x; \If the VxD is loaded, it will always clear eax and the Carry flag to allow) x. f8 I9 x* D# v
its handle to be opened and then, will be detected.& ], A2 h$ J+ h& b8 w; G
You can check that simply by hooking Winice.exe control proc entry point
/ q6 v, k* o( c. l( a; Kwhile running MeltICE.3 i k( w: o4 B7 Q7 ?* S
2 f6 f, o$ Q' g* `% @% p7 s& O
5 Y" L5 }( T! K! j7 Y3 m( s0 ]
00401067: push 00402025 ; \\.\SICE
; e* J) V* Q% C5 r 0040106C: call CreateFileA* h7 p P$ z7 q4 b S; f
00401071: cmp eax,-0019 {9 p* o+ E, k" d; |
00401074: je 00401091
Y( t9 n5 |% p" H6 n2 a8 s$ m1 D5 [( d5 Z
5 e g7 o3 Z$ C; u4 wThere could be hundreds of BPX you could use to detect this trick.
& O4 M. a4 }# v1 m% R-The most classical one is:
$ ]! C! K$ S# k# N- \. }+ ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: Z( W. d w/ n6 S0 T; q
*(esp->4+4)=='NTIC'
0 y% x/ {& S/ A- c1 ^5 m% N/ ^4 d( {& U. V7 N. A
-The most exotic ones (could be very slooooow :-(: L7 w, s' E1 {! r, X! a
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 d4 I# G. ~3 e6 ~0 m7 S+ r ;will break 3 times :-(
- Z3 U1 I4 d0 t& q( w; u1 I. }& `# [1 W& P
-or (a bit) faster: ( K r. R' _8 \: K3 Q5 Y6 U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% S+ {- \: W/ p! [
& ]/ [. y! S4 E1 w1 x6 _. i' z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. {& E! t. \: E0 v ;will break 3 times :-(5 s q' L1 |! v$ E1 |! Y
9 A/ V# J! [; X K-Much faster:7 `" F! f- m: Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% a0 _- \$ x: A2 T' q
" y* O9 J% }% P* b: ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 h! i3 ^; e, Z
function to do the same job:% m# k R0 @' o! F; k ~1 ~
# U: _5 g. m0 F/ @
push 00 ; OF_READ, E7 g! v; [, K5 ?" d
mov eax,[00656634] ; '\\.\SICE',0
0 `+ V) `' N9 M; { push eax! T$ ]% E/ e( h& T1 ?! o: H8 Y& m
call KERNEL32!_lopen
, e3 j7 Z5 M" S z: n inc eax
) j9 H& T1 W" V# Q4 H( O Y jnz 00650589 ; detected4 t q: ?# @( k
push 00 ; OF_READ# K/ {" o/ B3 x- J
mov eax,[00656638] ; '\\.\SICE'
4 `" L5 ^9 M& k; z1 p1 z s1 T) I push eax7 F! j2 h( y# z' j% g4 q5 p
call KERNEL32!_lopen2 j. p. n: j# E# ?: l% L
inc eax
1 ?: v! X8 s9 }% f, @5 Y* F" Z jz 006505ae ; not detected( N. b8 e ^) z! k( a( S) K
0 r( q6 C0 U) e; r- {+ s$ X/ Y: e6 h2 \
__________________________________________________________________________) u. A1 ~8 q6 n E% y
) [5 G" D* B# p1 F$ iMethod 12
# k* [; \9 y! Q/ i" j; i=========
$ H. e# U i- O5 C9 L5 p
* U+ `4 v. L y* }; n0 s9 }& ]: UThis trick is similar to int41h/4fh Debugger installation check (code 058 \$ A. x1 s5 Y! m
& 06) but very limited because it's only available for Win95/98 (not NT)& `/ q% F5 T3 e2 U3 t
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 I0 j+ F; _7 Q2 o
. c! @' }# H$ e; s+ d push 0000004fh ; function 4fh( ~* d; S0 K; U) _. G+ V
push 002a002ah ; high word specifies which VxD (VWIN32)
* p# C5 Q! D$ J, a ; low word specifies which service3 U2 G$ c' l* v! _- l
(VWIN32_Int41Dispatch)5 p8 l3 Z. Q- O; Q4 z& K2 r- F! r
call Kernel32!ORD_001 ; VxdCall' |# t! H) D# }6 @$ ~ |6 p
cmp ax, 0f386h ; magic number returned by system debuggers3 q- X: h. a' x9 U5 D" Y
jz SoftICE_detected
+ k6 }3 Z: P- c& K6 N/ g7 P/ M. n! b T
Here again, several ways to detect it:1 m" |9 X0 y# ]% m: A6 J
+ Y$ `" {1 Q1 y BPINT 41 if ax==4f
& C: M0 i4 `4 z$ ]8 [! K/ m4 B2 b3 p O1 ~8 W1 {. f) o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, N: I7 O0 ^/ u2 X4 v
; d Y8 _7 |+ E0 _* @* W1 V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 E& x; ?7 |* z8 }0 ~* x, j$ D$ b- E
$ Q- S/ V5 c9 \' o6 K' Y) X1 c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: C0 j7 J( T" @$ N* V7 c
) W: C# Z4 g- e
__________________________________________________________________________
. M$ g. m: l- ~ |* o5 z; d8 q& [; R6 r* M" ]; o
Method 13
7 h- c4 [2 j( K E+ L=========
5 `4 y2 k( e1 a7 c( w$ R+ ]% }1 i/ W' a4 _* U
Not a real method of detection, but a good way to know if SoftICE is6 f' E' |0 B6 g, N! N- M
installed on a computer and to locate its installation directory.- B8 K9 }; t7 ]" Z: l& g4 e
It is used by few softs which access the following registry keys (usually #2) :
5 ~; x, K, o: t1 `) A/ m0 l7 A0 C
. f. _, g! X8 S8 Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ k% M" Z2 }: m) g\Uninstall\SoftICE
% ?& V T4 L( C+ r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 N$ I* b( ^) W. K% ~0 J+ j( K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ I- _. Y" |! a) h' J1 K. g. A! C\App Paths\Loader32.Exe0 C" A+ w3 M4 v4 t5 p
" q9 [, u$ y: u, l$ ]3 t% X
+ o2 k: E7 q3 O1 h1 Q. l
Note that some nasty apps could then erase all files from SoftICE directory
& L2 T# L7 a0 w1 X: x1 Z/ N(I faced that once :-(
7 f3 K. k, f$ N$ }/ r. J
# ^5 ~& _; W" _5 k4 T vUseful breakpoint to detect it:) F/ _# {/ b, f5 z$ Q
& [) v8 X. L8 c: z' A BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 y( L- s8 P+ j6 W. Y8 k" h9 W' b2 q" N9 G
- ?! F( D% Z/ V& n
__________________________________________________________________________
/ s3 ?: c' F8 K3 ~. ]1 K
0 g: Z9 K- v2 A- ~2 }( i3 ]# S/ G
2 o Z% L+ w2 x% F) Y$ j/ nMethod 14 . K* D( ^( @. x% s6 @
=========
; s: c2 o8 y9 L9 {4 }2 k- c* Y! [8 u4 [- N1 k4 G4 S" c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; O) N. y0 v/ d& Dis to determines whether a debugger is running on your system (ring0 only).
- y6 _6 A- j5 H1 k N& l
0 H6 t2 s' z% ^' o VMMCall Test_Debug_Installed. i9 f+ z6 t* [
je not_installed
6 g7 H9 |. q' m( F+ H+ _+ k' \0 g0 B
This service just checks a flag.2 V, E U4 M$ l6 @& |: L+ }
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡