<TABLE width=500>
6 t$ t0 L" U' l* ?( i4 ]& O<TBODY>
# g8 v. w( e4 P$ U# F1 Q<TR>1 T; ~5 w+ j: b
<TD><PRE>Method 01 . ?4 m2 o4 s, |, C( ]; Y
=========
' k$ m, Q0 K& q# {6 M. u, e& j x$ ~* A! N- O: l% ]9 J
This method of detection of SoftICE (as well as the following one) is) S0 o* S1 z, U2 l1 n3 I
used by the majority of packers/encryptors found on Internet.
: W" |' O0 `" s- `! |0 k) oIt seeks the signature of BoundsChecker in SoftICE0 A1 q# }/ P3 R0 O0 H
' v1 k- t6 a- V( r
mov ebp, 04243484Bh ; 'BCHK'; s% E9 U: r, {2 u9 S$ \# M- {
mov ax, 04h% V7 M, U8 p* J2 v' W
int 3
$ r- n7 q5 V) L0 G9 k- s* i' S2 S cmp al,4* p8 }* b; E: _0 f4 j( z, o
jnz SoftICE_Detected7 |8 W! v3 F( P2 s0 y3 P$ A
4 M( r3 l0 w4 ^8 V
___________________________________________________________________________
. u6 J& k# ^1 c0 ~% `' F, m
' D7 M6 Q- J8 U8 }. u0 f9 N* xMethod 02
3 G, N# o& c, Q: O2 n' O+ @+ \4 K=========5 e) S6 r( C C/ V- H
8 ~7 Y( Q2 ~/ W
Still a method very much used (perhaps the most frequent one). It is used. p7 h) J) N: [% g) d) U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! O% [. i5 D: E0 y+ _2 W
or execute SoftICE commands...
D, [1 z9 ^- g" y0 K4 J7 b% e( CIt is also used to crash SoftICE and to force it to execute any commands4 G5 L* C# F* D1 F/ j
(HBOOT...) :-((
! i- t& G, E+ x/ D; P3 K5 R7 O
4 V, B! @! L" y& b' V fHere is a quick description:
+ Q) k% ?5 f& a7 w-AX = 0910h (Display string in SIce windows)
+ c- _+ o: B! l" c5 f1 \; S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ X- l; O$ V* ~- d' D" O4 k! k% u) e
-AX = 0912h (Get breakpoint infos)" `) R- H H8 @0 E
-AX = 0913h (Set Sice breakpoints)
6 G, `! [5 M P# i, G E9 {/ x-AX = 0914h (Remove SIce breakoints)4 O& `/ t( L' O y5 \% X! k, I- t" l
/ s8 d1 t1 u! ]7 v! {/ j$ bEach time you'll meet this trick, you'll see:. o3 k) K$ e1 @6 j
-SI = 4647h
# w7 M- g+ ~7 |2 S! R* @-DI = 4A4Dh7 Q4 x% e2 ], A% a
Which are the 'magic values' used by SoftIce.; ~5 k& { Y {& [. o F) D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 Y# } e: M* F# H5 C& D: b4 @% E. i6 |
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 G$ b' L2 N/ b' ^) @Envelope utility use to protect DOS applications:) N2 [: i5 U0 W
# c( l& f& b; @( y
$ t6 q; \( r% b* e% X2 e7 g0 ?4C19:0095 MOV AX,0911 ; execute command.
' N# p5 N! L1 i$ O1 E; B O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; o7 q8 M% ^" F% i$ h& J$ D
4C19:009A MOV SI,4647 ; 1st magic value.
% E$ s7 y: V9 X6 F& ]$ y+ c2 X4C19:009D MOV DI,4A4D ; 2nd magic value.
- r% }& O* c( y4 Z9 o" T8 C/ l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 J/ V' @5 q* F+ d3 {* g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 b6 G5 ?' ^! Z4 F
4C19:00A4 INC CX
* c1 D* Y% O* H: o& w$ W# u0 E# y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 ~ i! x7 u7 t" M, Y. m4C19:00A8 JB 0095 ; 6 different commands.1 n- l/ ?+ L: u/ P+ w( r
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 [+ A* U1 X5 P/ d. X. }1 G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 b8 T8 x1 g, T$ L, o! j
" }. F9 X3 w0 P9 C
The program will execute 6 different SIce commands located at ds:dx, which9 J# k7 j: ?- ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ D2 @) h! n3 g+ q
$ N* u3 f. S! P D4 B6 q* V3 b ~7 f" B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 G$ ~8 t1 E b- \" d) h___________________________________________________________________________
) v# a7 j' z( J0 h; g4 ^9 Z/ W
9 j3 e$ i8 m6 p9 Q+ M' c; g3 t h3 y) @" I2 v6 O/ V
Method 03
) y9 H. r5 @( R, `5 {=========
: u3 ?1 [+ D. L; v8 F; I, a, U/ E4 ^/ b5 ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; }* p' G7 M Z' `/ _" d) ^2 {
(API Get entry point)
$ x5 u1 g C7 A8 g, }
! q/ u) b1 T# ^+ k
- R& F9 w# F) G3 t xor di,di
$ H2 ~. ?0 y$ T# n; t mov es,di5 G H0 H2 O7 [5 ^( w' [1 g
mov ax, 1684h
0 a4 |) i. C6 N: _% D mov bx, 0202h ; VxD ID of winice
0 s R( l0 ^6 ~' [7 | W3 H8 I int 2Fh
' A# _1 m" t# ~! X, ]' G, {' E mov ax, es ; ES:DI -> VxD API entry point2 D2 d0 ^, s, e) u1 w
add ax, di
7 p8 f, w0 b6 M3 S. H7 X test ax,ax3 v7 {0 L; D x* o& P5 _, a, |
jnz SoftICE_Detected
6 @4 Z# G' _5 }: M% w2 J4 ~" d+ d: m) H' q- s+ f' V( _) M! A7 w
___________________________________________________________________________. a. F# U! H6 N
7 |- J. A" D- f C$ L
Method 04$ n, X0 F9 | r: I! s
=========( N1 y" w; i: P& y2 P
+ b) d. G9 `2 P+ f9 v6 AMethod identical to the preceding one except that it seeks the ID of SoftICE) m x8 U" \/ O4 \) i
GFX VxD.
( M8 B" v* y2 v+ `0 ` x( b
( R R! g9 d5 x9 h# }. L0 n% o xor di,di- o8 f7 M( I8 [6 K: a
mov es,di
1 q# P8 h$ X2 Y, k; V9 a mov ax, 1684h
: l0 c$ w1 S% F# m- ~ mov bx, 7a5Fh ; VxD ID of SIWVID; S6 J9 p" H! E& b3 L( d, i
int 2fh# E+ M+ ]/ S( m( ]
mov ax, es ; ES:DI -> VxD API entry point
) f0 J" n. `6 ^* }" E" e& e3 i add ax, di
4 P& ]9 W, b# c7 Q test ax,ax- g/ Z. M- ~ p
jnz SoftICE_Detected, ^, p6 x3 Y' B7 X8 O# X) F0 d
. y* x- s& q- w7 F0 G5 \
__________________________________________________________________________
g2 p. v! N ]
# t0 y7 G$ p. a- A! y. d2 K
: q; c7 ~6 z( {0 J6 J' G/ ~Method 05% Y4 _0 Z1 }$ `& C
=========2 E+ z b8 I, J5 d! z3 p5 Y) z
6 U5 V& q1 A/ i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% w& }- L# i5 n" Edebugger. It calls the int 41h, function 4Fh./ K! C+ D6 _" C/ j; T2 l
There are several alternatives.
1 V. _5 o# p4 l0 P: X
1 x5 W. X2 \2 ^The following one is the simplest:
6 y/ U, Q" x3 U6 I' f
$ t+ @- ~( `+ H, B. o/ h" q7 G# N mov ax,4fh
! K1 A2 U0 B: S! e4 ?- U int 41h
0 x w1 I S, N cmp ax, 0F386" i, y2 i0 C& _" a0 B) d0 D% K3 p
jz SoftICE_detected
5 _1 M4 c' W/ { j8 ^
0 u, B2 }9 ^, ^- J1 e+ X
0 S4 a5 Z' M1 B+ p5 `5 vNext method as well as the following one are 2 examples from Stone's . f2 B b3 ]4 R( F& W
"stn-wid.zip" (www.cracking.net):
, Y% E# v- d9 x) q5 X! J
$ a0 F; o2 m; L: W& y$ I3 Y mov bx, cs
( C. ^$ V- h, c# d lea dx, int41handler2- K- j/ H4 B C+ j
xchg dx, es:[41h*4]- L5 t% v: b, `
xchg bx, es:[41h*4+2]) S% w* R( s, ?8 g7 [
mov ax,4fh/ F: r# S$ e, P
int 41h8 i0 D9 m2 r) k( q% F. V
xchg dx, es:[41h*4]5 D& u3 _+ R6 T
xchg bx, es:[41h*4+2]. N4 j( w+ V6 U$ W6 }; y
cmp ax, 0f386h: {8 v6 ]2 v' r7 [
jz SoftICE_detected4 p& Z+ ^! {3 V6 v" m
% `3 O( r) |9 y4 |int41handler2 PROC
' \/ Q9 O, S2 n! Y2 G7 a iret1 r4 s1 D+ z; ~- d; S+ q- I
int41handler2 ENDP& o% K3 q" |7 j( Z( `" u& D l
8 C! r' F4 a; @
, Z* k0 Z, F( Z7 E% t- Q_________________________________________________________________________
$ G" P& n% K" d5 U9 n
W* v, ` d* s$ P
$ u) f7 x2 n8 [1 G1 nMethod 06+ \6 y9 b1 O3 U% t, e/ }
=========
; u5 J0 [2 T, W6 a- A7 _
# j8 I3 q# E; b: X' i
# Z! M( \5 H- U4 y2nd method similar to the preceding one but more difficult to detect:
: i3 M1 B6 q" F6 Z( K; U7 o$ @; ^. [- e
+ k. O, f+ E& m% D# aint41handler PROC/ c* J6 w& e# y4 S$ U) ]: Q, W4 d
mov cl,al" A, ], u, E& g( I5 l
iret
# C2 M7 `; S- @int41handler ENDP
0 c( i( K: C2 ?5 T
* y- h% i4 A4 |* ^) q) q C
/ h4 a, {% C8 K xor ax,ax9 g0 r" E' `) g3 m' E5 W* p
mov es,ax5 e2 |/ L, c( @
mov bx, cs( S: V) I% ^) N: z* e: L
lea dx, int41handler
; S2 e3 d3 \. m+ F( N xchg dx, es:[41h*4]
6 I5 J V# n8 ? r( i" O* V xchg bx, es:[41h*4+2]
( o: _" m/ `# s) K% Z$ w in al, 40h
0 h8 q1 T! N" U5 a5 p6 e xor cx,cx
7 f# q) C* ?1 Q4 D$ \- a2 @3 I int 41h
% P* I2 N) }+ ?6 H xchg dx, es:[41h*4]
( a4 k* H; c, \$ U& @8 l7 G xchg bx, es:[41h*4+2]: b# \, t. \) n( }- T Z
cmp cl,al0 X( t8 c' P6 F; n1 f; x
jnz SoftICE_detected, z) v- ^! v) N( |& N3 x9 E
6 e. e! Q D( t) r# @/ r( f9 T0 a% H
_________________________________________________________________________( H) O$ a# z8 X% n( Q9 s5 M
8 ]; K3 T# a! H! m+ ~+ c( ^
Method 07) O. c U- F7 _" Y2 t
=========( J2 E7 O! c7 F/ n; G
0 P9 q2 q7 y+ }2 t4 C, a9 [Method of detection of the WinICE handler in the int68h (V86)6 o4 y- v$ }3 \- i) u! p
6 ]! e* B$ ^9 v7 P e4 d
mov ah,43h4 `# h6 [7 p/ L
int 68h
! ~, l; }) X, @/ y) D cmp ax,0F386h
! O( `0 n; b7 _" `$ p jz SoftICE_Detected( I# N v6 y9 A, C
/ q t# `- `0 t8 g
3 v; e! J# t+ v. T% @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! T! z: x' {6 p! c4 O0 n4 e2 y app like this:" {2 W( j9 O! t8 g% Y" o
8 q8 f; v) ? P$ l$ S BPX exec_int if ax==68
" a( _! g* y' b, `. S! ^' a (function called is located at byte ptr [ebp+1Dh] and client eip is2 m; } \- z' ~8 N/ j
located at [ebp+48h] for 32Bit apps)* n3 M' |: T. T( [- a" N. p$ O( W
__________________________________________________________________________
, M# s/ A# Q- z3 u6 l4 k/ F! M: g
! G1 J& I3 R) `8 c a# \
% t$ L& L+ H' O3 fMethod 08" F+ }$ Z0 K; c* D; V' x4 m
=========
: p- _6 C+ y: Q
0 i1 v) F, h f3 c1 HIt is not a method of detection of SoftICE but a possibility to crash the2 ^3 v. j+ r9 _) o
system by intercepting int 01h and int 03h and redirecting them to another
5 S5 a" ]7 a. Z7 m. Troutine.
* f) k7 F. {6 n% w% ]It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 c2 I# @- U: J2 _6 u
to the new routine to execute (hangs computer...)6 f a' y! h+ W: B) p4 r3 D0 V
3 X* u' O z0 D1 d) e# h2 R; A% W mov ah, 25h
^6 g+ J1 p8 y8 ]% R# M/ U& m7 D+ K mov al, Int_Number (01h or 03h)
, d; d( J$ r6 H2 ?- @ mov dx, offset New_Int_Routine i, s3 ^* Y& T+ k+ x: e4 l
int 21h
: l3 {8 j4 O7 p; a$ o% U+ g$ I0 U6 N- a8 j. u( K; z' }
__________________________________________________________________________
! j. g- b8 D. e8 X! O% H% ?2 Z8 f- I5 [3 N! O: H" E* R8 a* s0 |& |
Method 09
1 K7 N/ C8 A2 T$ \# F- |9 |0 s) v7 x$ Z=========
* N+ v! B7 a4 A
8 a/ m' I" X7 W! zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% c, M5 o5 ?/ ?. V" tperformed in ring0 (VxD or a ring3 app using the VxdCall). X! @, S$ E5 _+ y! _2 [
The Get_DDB service is used to determine whether or not a VxD is installed
8 J x! h& Z0 w+ tfor the specified device and returns a Device Description Block (in ecx) for2 x+ p# H" U L5 ^8 U
that device if it is installed.
5 E: [% V m# D2 W- V
( C' E/ {* ~, z( _9 @ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 Z% x* ?* {$ u' [9 c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; c2 g a3 P, ^ ]3 Z VMMCall Get_DDB) _, ~; J" A* |9 q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 X% Y% d/ K6 |% `3 i) J r+ h+ F
4 T. G9 m/ x3 w9 rNote as well that you can easily detect this method with SoftICE:
' W$ I$ l3 P- B, l ?3 ^4 p- ?! O: |7 I bpx Get_DDB if ax==0202 || ax==7a5fh& G3 c& W; T0 p( p
[, P' c$ p' v7 {, b) X. D9 `__________________________________________________________________________
3 Y) J$ F8 G, T" N2 w) P/ z. s0 U
/ r# i; R) r2 c+ s$ h3 I3 D/ mMethod 10 @. L; M V3 b/ `* J, M: A, t* K
=========5 z% ]) I5 i: E) M; p1 O
" a5 O8 O" c9 V0 x=>Disable or clear breakpoints before using this feature. DO NOT trace with* d; M( j0 H. }+ X+ U) b1 V
SoftICE while the option is enable!!
/ T1 e) [6 |. B- |. o. b. W- y! W1 z: o% O1 b
This trick is very efficient:5 J, U& A# H+ j' x1 [0 n% e/ j! Y# J
by checking the Debug Registers, you can detect if SoftICE is loaded3 Z) e" v, ]2 t" u" k2 z/ D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 |0 b3 W( }0 j8 d
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ q% c/ V" j; {value (in ring0 only). Values can be manipulated and or changed as well
3 E* @7 x2 r s" s U( N(clearing BPMs for instance)9 Y1 V( w5 e* ~1 i N" Z
4 e# x2 g, o$ g) |; @, t. X6 j$ b
__________________________________________________________________________
8 w+ I$ y$ q( ?" J# u" h+ q S. e$ d7 J5 `
Method 11* a2 L" {4 |: O5 O. l) O$ _
=========
% L f: m* e8 \1 i" Q4 }# x$ |$ w& g- Z n: a
This method is most known as 'MeltICE' because it has been freely distributed
- ], R+ H7 z: w! @5 nvia www.winfiles.com. However it was first used by NuMega people to allow
8 c. V" ?& N& {2 T+ ESymbol Loader to check if SoftICE was active or not (the code is located
3 M8 v8 j0 ^2 q0 \- F' E# u# tinside nmtrans.dll). S0 K7 {* m: f. B0 E) w
4 V, B5 c8 k1 S) g! b }; s% Z% }- V
The way it works is very simple:0 L/ H1 z" v. c0 X# F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 u" N( g) ~5 \6 t1 H. pWinNT) with the CreateFileA API.
( \( w* j6 p$ E! U3 J7 d8 V# D3 V, O' P1 ^8 @
Here is a sample (checking for 'SICE'):
+ ]1 r; D A5 }5 H, x$ R
[! r9 t: _8 {; c$ X* I# aBOOL IsSoftIce95Loaded()
3 Q1 |: m4 v; A/ T3 }1 j{" F F# C) C) `9 o3 \0 K
HANDLE hFile; . Y5 j) U8 F' ?% k9 W* ]: C( D' a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 ^5 C0 v8 z4 C, ]+ A% l, B
FILE_SHARE_READ | FILE_SHARE_WRITE,7 x4 T! z9 ^5 g9 d* N2 e0 ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ ^0 h: o2 R i6 ~' n* w
if( hFile != INVALID_HANDLE_VALUE )
K8 `! q( @/ z {- a) [% `3 D9 v7 Z/ l K6 w
CloseHandle(hFile);
) N( e, w, G: ? m1 h; c return TRUE;
2 R- }: T3 m; A* ? }6 J8 U9 `, T9 }- m
return FALSE;
0 v* z" N1 B) N) _6 v( Z+ Y}
* c" D1 C5 E+ p& X" h* x. U9 Y
Although this trick calls the CreateFileA function, don't even expect to be/ H+ L+ |( c; _1 m# p+ L# X+ Z
able to intercept it by installing a IFS hook: it will not work, no way!2 N/ ?* S' w% F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) [; Q- c; t, C8 o+ ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ n, \& K& a5 k6 Q) N( A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 @, n6 M, P/ k5 r6 g
field.4 b, n& c7 g6 ^$ s+ L, M. A! q& i
In fact, its purpose is not to load/unload VxDs but only to send a * V5 E# T7 Y! V: i* |( `1 n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! x8 C% H, e7 q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ [# T, |! d! q( P! A S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; w. x2 j- z' y) s3 KIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& q+ {1 P" f+ {' ~1 Uits handle to be opened and then, will be detected.
$ }9 c) e3 t6 _! a4 YYou can check that simply by hooking Winice.exe control proc entry point5 C7 A4 w5 p# n& k( U/ B _
while running MeltICE.
( r* z8 Z( q" q c+ z# @+ z9 ?) P
( a4 ~# V2 O: \9 K9 a8 Q1 n2 R2 I" v1 K1 G( B8 G7 L/ p+ P C! t
00401067: push 00402025 ; \\.\SICE; U, [$ k/ B$ M3 B
0040106C: call CreateFileA7 Y9 ?" f0 |) J0 N2 k* a
00401071: cmp eax,-001/ b$ e8 ]1 X3 [. U8 j
00401074: je 00401091
, V0 V, O& y f0 b+ W$ u* S9 l( d3 L5 d
9 c- ^( T8 g9 F- m+ @
, J# n! B* \* x1 Z" s: [6 {4 GThere could be hundreds of BPX you could use to detect this trick.
5 I1 o( R7 v# o8 z-The most classical one is:/ a4 M. G6 J0 g1 g" j
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ ?% e- z/ M' u *(esp->4+4)=='NTIC'
# l. N% B# k; d7 l/ m2 d6 [4 u& O( n: |! E
-The most exotic ones (could be very slooooow :-(% R3 [' e- N0 U8 g7 ^' K' e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' O5 m7 C' o+ l- `& I! F
;will break 3 times :-(6 ~3 P( q8 c3 _
) C& i% h- k& z1 n-or (a bit) faster:
# d+ R% [( D' H0 R5 S+ @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( C* s4 S4 p# t' x8 u1 {! m( h0 N! v3 s6 w& Q8 X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ e5 E0 u- J, O' ?& F- ]1 j* ^ ;will break 3 times :-(; E+ ~3 X; H, P9 N0 {( ?% ]
4 l/ x$ q, _2 c& @# s; f-Much faster:
4 T1 A, R! H6 n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' J6 s3 A( @. Q9 B
2 e2 n4 N+ X3 T. Z1 C9 E1 d: @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 G7 S" s) w9 ^4 Y% Dfunction to do the same job:- M0 M4 [& s8 ?$ l; V/ U% K# y
( n- u' z2 C3 b9 c
push 00 ; OF_READ1 d* ]6 n" l6 l
mov eax,[00656634] ; '\\.\SICE',0; n! h6 M9 h" I$ r
push eax
( Z1 F z$ _6 N7 d. U call KERNEL32!_lopen
" A7 G1 H$ D+ j9 s4 _6 w5 ?, ? inc eax: U) o6 I- ]/ K; j' v8 f/ N
jnz 00650589 ; detected
) G+ |& l. z# } k4 P0 N push 00 ; OF_READ& H, X# v( H, [- j6 X: k6 ]
mov eax,[00656638] ; '\\.\SICE'
- I6 z* d/ D, V push eax( C5 _& c( g& G% F
call KERNEL32!_lopen
: n& b7 l+ ~( A4 p inc eax
! Q* g3 G8 i7 p( c6 ~+ K& a jz 006505ae ; not detected4 m% O, m, u$ @
+ u C0 F1 M1 G/ ?, L# b( a; ~
! o7 F3 Z' ~' F( n__________________________________________________________________________
+ E& W2 }' V# k+ D3 \
) @) N4 i5 G, z$ JMethod 12
6 O3 v( A. S9 z" L=========1 j4 ]; K B6 N
9 j( x$ d/ l7 t% h" T6 a. k9 uThis trick is similar to int41h/4fh Debugger installation check (code 053 L# G* [7 x! a) @
& 06) but very limited because it's only available for Win95/98 (not NT)
2 ]6 s3 i0 v0 A; j: g* sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: K5 t& c. E) ]! J- Y8 r6 J
4 D" ~4 g. U" S# D( l7 x% z push 0000004fh ; function 4fh
6 s, v, c# C# A* \4 I) ?! E push 002a002ah ; high word specifies which VxD (VWIN32)
& J+ T. }; @- G! q ; low word specifies which service
1 X2 q; s/ s k8 a7 \: l; n; S3 R1 t q (VWIN32_Int41Dispatch)
r4 [: O+ g3 B call Kernel32!ORD_001 ; VxdCall
: W8 {% T' D* `: t cmp ax, 0f386h ; magic number returned by system debuggers
9 M* v v7 i, R; @6 L# Z jz SoftICE_detected
$ H% ], x1 y0 m4 n" W! T7 P8 L7 p3 S. I% y6 y
Here again, several ways to detect it:
) S' g/ j0 C+ E# }1 C* M; U6 R x* ]- A; H' z. e
BPINT 41 if ax==4f
4 r- Y" j. t& F
1 L! B# M" ]5 O. C/ a; T3 `$ { BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" M+ r' N$ U$ {( Z3 Q
3 D/ N; n: ^, w0 ~7 K( b7 \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! \* z* W" C. Q! q# D3 e5 R2 m+ D$ o( U6 ~& n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! m5 j& d* w- M: K( ]
4 |7 X5 q9 [' w5 [9 T__________________________________________________________________________7 |1 |3 N# l' Z m/ T
* Q8 S' j4 n( j8 k6 m
Method 13
4 @4 R, W" Q# N: K" m=========
2 f$ W' r" P2 T% O( H* i
2 ^$ p- a n$ B/ m+ a' y$ A2 M1 BNot a real method of detection, but a good way to know if SoftICE is5 v7 y$ s+ }' x; ~: m/ }3 M: V
installed on a computer and to locate its installation directory.
. n! F) W5 o! E& c5 [; FIt is used by few softs which access the following registry keys (usually #2) :
' H* Z: n* [+ u% x: o* ~# L
" ~, s- d; A' R0 X: F4 g8 f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- k6 H6 K* r5 i$ |8 J\Uninstall\SoftICE
+ z% x6 U& C! E1 E5 G' L+ B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! x8 d( Q) M! x& y0 A# E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( z/ K4 j, ]4 ?$ ~8 f- a& ^\App Paths\Loader32.Exe
0 ~) R0 r H E- U) n
; k; T7 H2 w6 P* J l* L! ~
8 Q* J/ ?% L; ~/ b7 A' x! a2 CNote that some nasty apps could then erase all files from SoftICE directory" A" T) j: i8 r' U0 D
(I faced that once :-(& R0 y2 {+ u0 @6 _# v$ |
) k3 \, z& ^( n, b- U) V2 ?Useful breakpoint to detect it:
5 y' a1 ~9 {8 z/ p- f2 L
. h+ V. ] M' b! D8 r X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( k4 i- ] d* _8 w0 s0 V! f$ Q" Y3 |. s F+ V. m. o. ^
__________________________________________________________________________
n: r$ w1 |& w- l7 Z, T4 c
- H! m. s# f5 ?; R
# p, y2 i$ W0 UMethod 14 4 Z/ y4 o- ]& Q8 l9 W
=========9 f ~- B) W9 j* X$ Z
( s) J1 F2 J, c) _% @7 p, S+ x" ]( @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 a! s; g! P0 ?is to determines whether a debugger is running on your system (ring0 only).
+ u9 h6 D+ y: e" W7 P
7 g5 Q5 w8 C" A# j VMMCall Test_Debug_Installed
. ^9 j: y9 C$ ]% K je not_installed8 p- U: {! M& `7 M! y9 u
! o2 G3 I+ r, o# x3 p( {This service just checks a flag.& G% r/ T" Y7 |. I8 T4 t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡