<TABLE width=500>" |( Z H' y W
<TBODY>% [# K5 z9 O9 E0 X$ m
<TR>& e$ D1 G. c& C
<TD><PRE>Method 01
T: g. p! ^. a$ E0 L( U=========8 F# I: W+ D0 _5 o7 D! q3 b4 ?
. C4 h( U) X( L3 p# VThis method of detection of SoftICE (as well as the following one) is
7 q$ i" }3 v; e/ o2 [used by the majority of packers/encryptors found on Internet.& \; e: z$ e7 V& G& ^& H% `
It seeks the signature of BoundsChecker in SoftICE5 _+ _: H' J# `6 Y$ Z/ F. H* ~" a9 ?- c
( D. a& @4 T1 ~$ k z! V7 ^
mov ebp, 04243484Bh ; 'BCHK'
% L' d+ u+ R+ i, j# \. i. f' T mov ax, 04h2 l3 ]- r1 c& h' S" U
int 3 5 y! D" u h: @; w3 C* P1 X) r
cmp al,4; k, `' W* Y6 y( h( u
jnz SoftICE_Detected/ }9 s$ N& b) {1 ~: v7 _1 N; s
1 Z# H6 b$ @9 j4 g2 l; {) \* z
___________________________________________________________________________
g, i0 U. I6 y
: R* _4 w4 _; Q6 F% vMethod 028 C7 v6 C: b. f" r
=========
3 q9 u$ }, ]! H
& P( a& e2 E7 B0 k7 n" YStill a method very much used (perhaps the most frequent one). It is used; X1 Q# I' `2 H# P: p8 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ k4 N' Q4 y1 H8 F+ J' eor execute SoftICE commands...
' M* M) [/ x3 X* K4 cIt is also used to crash SoftICE and to force it to execute any commands
V7 |2 }( s$ W& T8 {. X* ~6 j(HBOOT...) :-((
2 Z1 G0 n$ S Z1 S [ ?+ ?3 f
. j2 S6 k" i" k( [Here is a quick description:
, Q/ s. b" C& F( l8 X-AX = 0910h (Display string in SIce windows)
5 y5 ?: ~2 Z9 T ]8 V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 \- ]0 J2 [$ f/ {. b
-AX = 0912h (Get breakpoint infos)+ d( |) }3 u- a5 `( v
-AX = 0913h (Set Sice breakpoints); z( b% w3 b# o4 g
-AX = 0914h (Remove SIce breakoints)
5 Z9 b# C% M- V( u+ o0 Q3 `! [( e$ t" ^0 j6 Q( z- |
Each time you'll meet this trick, you'll see:
# N( ]- k7 Z0 v. L-SI = 4647h2 f6 p$ P+ x {$ [5 K) N6 f
-DI = 4A4Dh: A, m7 }9 I6 Y2 O; \/ b+ ?
Which are the 'magic values' used by SoftIce.
$ w( Q3 t: [5 k' X n6 a. hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.: H9 [% @. q0 X. A3 {
# K* v, }9 p# ], J3 MHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 H$ C* }- O: h7 B mEnvelope utility use to protect DOS applications:7 K) }3 a. M, s, a2 N5 S
, |# `, k. s; z$ L! g5 L$ u* X& N3 B, ?* c' a* S, f3 e. b1 U
4C19:0095 MOV AX,0911 ; execute command.
2 G4 L' W7 I3 K o: x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 r! `( S$ y u( `* C. Q% \
4C19:009A MOV SI,4647 ; 1st magic value.4 |3 X8 ]3 A. F# V
4C19:009D MOV DI,4A4D ; 2nd magic value. s2 |3 U: }1 ], {7 d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, t7 a7 r! {6 I* H1 x5 s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 _8 D9 q# P+ I; J- |, @# I
4C19:00A4 INC CX* r8 H3 k: N) |* ]: w5 f
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
b' |* i) L: o$ ~" B9 `/ Y4C19:00A8 JB 0095 ; 6 different commands." Y9 f$ _( P2 T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 c3 |0 I0 v% }2 b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! {, J% ?" z' J9 ^2 F5 j# v( {, V5 N* F" X, X
The program will execute 6 different SIce commands located at ds:dx, which3 Z' m$ S8 i. F1 Z" g# `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; n) Y$ }$ c s
2 I1 }: x; M8 t: m2 I3 [! Z* }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& h" v# o% b* O$ J9 ]8 j0 f2 V
___________________________________________________________________________3 h' ~: k8 M! [, o5 ~6 P% J7 m
2 r/ ^4 q6 R# r+ N: K
s! V8 G2 J M* vMethod 03
0 V+ @3 S5 [6 n/ Z$ r7 Q) b=========
" n# d) A) G k) x6 o. Q
( U9 u5 ?9 A$ zLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ g( R4 H# j5 Q; P- R6 N, d(API Get entry point)+ p9 \% q, O1 u6 f
' p( L' \% ~9 S3 i% L, H
6 W1 z& y4 _ r" C: k8 y$ X* c* \# `
xor di,di
, H; y+ J: u& a6 f" P7 N6 u i' v mov es,di6 W2 c' }5 D7 b
mov ax, 1684h 8 y1 _* A _) C6 f+ l
mov bx, 0202h ; VxD ID of winice
+ N9 L0 f! L; m3 g( e int 2Fh, x% g/ i, Q2 h; c" M$ b2 R
mov ax, es ; ES:DI -> VxD API entry point
: {, G- D3 Z2 U& P9 y1 j6 k add ax, di
5 y: x- P7 \" l test ax,ax
) R+ a9 U$ v3 V& p1 f M$ g jnz SoftICE_Detected
+ b- E7 ~5 q. O5 g- C9 L$ X1 i# \) v7 x/ h
___________________________________________________________________________) x8 p8 e, {! j
3 k) y" ?) r, j, {2 ?* A: }Method 046 {, y6 \- p! v' M+ ~( j
=========
5 d: ^ q5 l( E$ K1 l" V! Y
& L! g& k, |' T0 q6 W b' E. EMethod identical to the preceding one except that it seeks the ID of SoftICE, w# Z- N3 B/ B$ ~$ F9 D
GFX VxD.
& ?2 }4 q4 G5 F9 p4 E- g* A4 O* a
; P! u( B; a0 R" `9 | xor di,di6 U+ r( |1 s5 w: k/ e0 t/ x
mov es,di W* w# N R9 _8 t7 @
mov ax, 1684h , B: @$ H* J( a, }4 A
mov bx, 7a5Fh ; VxD ID of SIWVID( ]2 l6 K. P C/ g* ^7 g' y
int 2fh
8 y% P8 y* D5 l; R. t, p6 A5 k$ K" Q mov ax, es ; ES:DI -> VxD API entry point
6 `) G( B' l6 C/ ?# I1 [ add ax, di
5 X' w, ?) n, V test ax,ax" W, \8 n Z" y: x
jnz SoftICE_Detected% Z) _$ U& f( ~, H7 i% {
. R, @, v: R8 ^' ?4 W__________________________________________________________________________6 M$ O2 x$ m3 i5 \( [) ~) d! Y
1 l# K( m: e" B. v, z+ v3 [
8 w6 X& V) |8 T7 r
Method 05/ l% E" p7 z4 t C# }' `$ R
=========
* X: O7 N. }3 S; ?5 n, n, W1 m e7 x) D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 C' C8 R$ t" i1 Y- c6 C" Kdebugger. It calls the int 41h, function 4Fh.
* O4 \$ _$ y3 ?5 C8 ?There are several alternatives. % @0 F) X. X9 ]" P9 I7 C
+ \3 I9 a- g$ {; Z+ q1 ]The following one is the simplest:' ~$ g8 g( h' K3 a9 b
" e' w1 I- v" W; M
mov ax,4fh
/ N1 y1 l2 u+ u1 ~' ] s int 41h6 ~! h5 |/ o1 @6 D
cmp ax, 0F386- C- i# P1 K) c7 J& e% F6 `
jz SoftICE_detected8 }5 ]$ k$ e0 {5 t6 M
" m3 `7 J5 _# c/ n. S q: _- o+ O+ \$ q5 V# { }" g8 v
Next method as well as the following one are 2 examples from Stone's
" E: M: F' X( z6 Q: R' E0 c"stn-wid.zip" (www.cracking.net):
# @! F7 s& D5 ~( |
5 `9 b; U" i8 y% g, Y mov bx, cs
/ n6 E. x4 J6 e) ~* k+ Y% | lea dx, int41handler2
( R0 i9 F* K( Y xchg dx, es:[41h*4]
) |! m: D9 m& P; O# [0 R# d3 E xchg bx, es:[41h*4+2] e0 Y; k, _" g
mov ax,4fh
9 a/ n6 O* X: K int 41h7 `. t6 D2 e; U( T: B" N
xchg dx, es:[41h*4]
% N# Y# V+ ^6 Q8 q- I4 [ xchg bx, es:[41h*4+2]
8 n5 k" d; w' G8 Z cmp ax, 0f386h
) Q& B0 a+ a& U( }( T3 I$ ~" A) o jz SoftICE_detected0 G( |- {) h/ @' k( r( T2 Z
# R: k% I9 w7 q, A/ C6 r$ E& Gint41handler2 PROC% i/ F& J5 i2 V9 o4 h
iret& C% A5 C# ]$ v# k) B
int41handler2 ENDP$ g3 P; F/ S4 L! B& i% ]( }& a
2 ?1 J1 s& `) L6 A+ T+ Z
- q+ Q7 Q1 y: j( g2 ]
_________________________________________________________________________
5 o: e1 O6 z7 m1 y) Q2 @
) ]$ n" x+ t: |# ~* k/ C, V! l/ y1 J
Method 06
1 l% f; V0 @8 n7 @# h=========
2 h6 m1 h' |( \' N8 \& j! X
9 Q9 g3 t4 y- @) y, q0 u# ?1 S' } H% K \! b6 I `* A
2nd method similar to the preceding one but more difficult to detect:" d/ L$ ]& I4 j6 {
& X/ l! B" y j' Z! |& Y. ~) J: s; I) b% `: a& K$ b
int41handler PROC
- \8 p* k4 {' H: ~, C# F; V8 d mov cl,al
. A4 c5 O1 ]( ?7 J iret
) E! J! V0 _( n' T1 ^int41handler ENDP
1 |- o/ e9 K. {. {" z+ B/ t0 p6 M8 s N( r2 X9 p! z* S' u; z' n% R
" G& V$ N0 a; _4 t
xor ax,ax
+ ?4 j7 x( ?! V mov es,ax. s6 X" I" l$ O6 ]& B
mov bx, cs
2 E. p* K: T ^. y% Q lea dx, int41handler
8 h3 I# `' U7 _8 |/ O1 s, V. ^1 n& j xchg dx, es:[41h*4]" ]& `! ^( _0 [4 E+ ?% S. X
xchg bx, es:[41h*4+2]/ O& j+ g \- I; p
in al, 40h) V. ^8 C/ a- x. D# i
xor cx,cx+ @* n! s/ v7 r( y! i7 A1 f9 h. M
int 41h c% a+ V0 h. e( G1 A
xchg dx, es:[41h*4]5 M* E' d; d5 N T' h/ o5 [2 x, n2 M
xchg bx, es:[41h*4+2] F- n7 w# r, j$ x
cmp cl,al' j: Y! x7 y3 S3 C6 F
jnz SoftICE_detected3 L5 F% @7 r- ~2 i8 D
5 @+ P* e2 ]4 ^( A9 W
_________________________________________________________________________
6 C) O& S. [$ C8 y0 j e) ?. h5 W8 }, t! s6 O' H1 t
Method 07: B. D! @3 j9 g
=========
/ w: Q3 Y: G8 Z' t* j: ?$ Q* t$ q
' |* P3 U- |" _8 a4 W$ gMethod of detection of the WinICE handler in the int68h (V86)
/ k+ G' _ i, | f% l: i0 D; p, s1 z4 H X
mov ah,43h2 s- x; c3 E& n1 z7 y3 Q
int 68h( i- @" C9 W Z& ?6 `- A1 N
cmp ax,0F386h/ K9 \$ s* c; `! D% o
jz SoftICE_Detected2 w0 i' E6 @5 h# ~ Q% ?3 W# j: ]
! g6 w, j* m, J, z
O/ b3 r$ S9 O t1 w5 f: k# r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 w! b1 C: p+ r8 I
app like this:! i+ x7 M; V( f5 W& Z
t& V( V" |" o, z7 g+ m BPX exec_int if ax==688 F, v6 ^2 r( ^, {7 p- J# E; p
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 J6 w( j( r, S: R/ A2 J& D located at [ebp+48h] for 32Bit apps)
/ J' y4 Q; C$ }# Z. Y. K) z! L__________________________________________________________________________
( x5 C9 a: U+ y1 S2 _* p& s4 n
9 `3 ]8 O/ m8 \3 L" r/ O2 D* X' @/ c2 P( f8 w6 W5 D3 Z
Method 088 C! C* O1 M# J
=========
3 z% v2 I6 D2 q! X& s4 N: ~% W+ ]; M# Q b! T3 j F& x
It is not a method of detection of SoftICE but a possibility to crash the. R" m8 v: X( J0 n! |6 C5 _
system by intercepting int 01h and int 03h and redirecting them to another
* w* W) m1 [( j- Eroutine.! ^# q0 E1 l% T J. r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! K+ p) ~$ v- j5 r- D# ]to the new routine to execute (hangs computer...)
- }) o+ ~% y1 I
- {/ C1 r" f z: Z) q3 e mov ah, 25h
2 o0 T5 z! `* V( i! \5 {# N/ L mov al, Int_Number (01h or 03h)$ V0 K- P7 _! v
mov dx, offset New_Int_Routine
' s# [) z1 ?' b! N; i int 21h
& E7 R0 B( o; `! Y! f7 u4 K( b
__________________________________________________________________________) ^1 G! D- c' u' p5 i
" C& X$ e) j2 [7 u, {. fMethod 09: g/ z) Q% Y& ]1 Q
=========6 ^; k5 ~/ f, j2 H* I# ]
' s3 G d3 v9 `% w! ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ ^0 s$ F! P- z; ^performed in ring0 (VxD or a ring3 app using the VxdCall).' |) a' W# Z6 O/ Y( d$ l
The Get_DDB service is used to determine whether or not a VxD is installed
' ^4 v: Q/ B& q5 J# p& y. h% Jfor the specified device and returns a Device Description Block (in ecx) for
& k! R. V& ?" J# D/ ~that device if it is installed.
3 \; ?/ v3 P; U! V# ~5 N3 l
: [, M; F& D8 P" y1 B6 h( w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ G7 o3 p3 M* W4 k7 v# D; ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ V* p+ j* @( [" s0 j4 Y$ M
VMMCall Get_DDB
}" N" `$ }1 ~3 c7 Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 z o; P8 ~- W# g6 |5 u0 S0 {1 t1 D
Note as well that you can easily detect this method with SoftICE:
' P: M( B- {( F: R. k o bpx Get_DDB if ax==0202 || ax==7a5fh1 o) Y+ {1 n- @4 k" c0 `; X& Z
# I$ D4 Q8 z! I! @4 \) B$ N8 l* j2 P. ?
__________________________________________________________________________
9 ?; g1 ]. v) K2 v! R' \ }! j
4 Q; M/ U7 p* z& x$ OMethod 10& q- z- X- e1 r F5 L
=========" s* Y' c# u) ?, G7 n9 ^2 k
; T# C0 m5 f1 U3 S, i z=>Disable or clear breakpoints before using this feature. DO NOT trace with8 r3 b. \) n# f/ T: G+ f
SoftICE while the option is enable!!
% j z- v/ R4 x P; p$ f$ X: t- \' P, ?$ j$ K9 x* X6 X5 o) Q
This trick is very efficient:& W2 _6 k. | z. w! `
by checking the Debug Registers, you can detect if SoftICE is loaded
: R* b/ Z3 I% }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# ]3 f1 d' ]: g2 R7 h; Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their, e3 I' T& P, H5 {* u% U! P4 F
value (in ring0 only). Values can be manipulated and or changed as well
2 ]: s6 w- i& Z3 a3 S# U2 @(clearing BPMs for instance)% V4 ?& ~8 A, _: w- d# D
. {2 |) k& U; j: u
__________________________________________________________________________
2 |2 K; t) q* t/ H9 @
g% l/ U# v1 a/ H2 T e4 bMethod 11
0 ]% c! ]9 X/ p, B& l# v# u' M; Y=========9 `/ @0 m" w0 P0 [6 p
* n/ y7 V1 y/ b t
This method is most known as 'MeltICE' because it has been freely distributed# U. p. q: B& Y" C
via www.winfiles.com. However it was first used by NuMega people to allow
* t4 M9 t0 ]$ o' X1 q% ZSymbol Loader to check if SoftICE was active or not (the code is located
2 h! y8 i z( F# K& }; C2 Binside nmtrans.dll).
8 n8 d( \2 _) Q5 C! v
- O+ B5 O4 L! d4 [, v& oThe way it works is very simple:3 ?8 e+ O$ x1 Q+ c1 N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: f9 W6 d' d( c% ^5 z* p9 R0 {
WinNT) with the CreateFileA API.8 l7 n# ^8 c) ~) t& Y, Y6 z- u1 F
7 Z, a; N8 e& H' W) l; w1 gHere is a sample (checking for 'SICE'):; n. g/ Y {$ \- y9 @
! G- m3 `* j c, ^% ~/ Q9 I; c) VBOOL IsSoftIce95Loaded()
2 m% b" T: J. L, ]1 s4 V{
. g" k, X* r7 A/ ]& R Y! X HANDLE hFile; 7 u4 @9 S1 v; V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 V, u& u) v0 y( Z9 S0 s( Y5 j
FILE_SHARE_READ | FILE_SHARE_WRITE,) A8 E+ W5 _2 ~5 b- l4 V
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; q" Y7 h3 a4 P+ W' @ if( hFile != INVALID_HANDLE_VALUE )
9 {4 F. H7 @; h. c {$ M1 |3 w+ {0 @6 c2 @: G1 c% X" D
CloseHandle(hFile);; A3 `, |. O) r
return TRUE;
% y# j8 r% X8 P! p& S, g' H }6 Q4 F# K$ [% T
return FALSE;
Q" Z) B! P0 k' E2 H" z/ Q}
, W% S& D2 Y( i! }, l7 G H9 L! f# z9 F' `3 g/ s G5 M
Although this trick calls the CreateFileA function, don't even expect to be
# j6 W' S5 F. G- d0 v Q5 sable to intercept it by installing a IFS hook: it will not work, no way!" B. {7 a0 Q( P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, p9 J1 ], {3 ]1 \* X {0 Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ @$ G9 w4 T3 j2 A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 ~5 Q' U6 X5 U
field.
3 e C" r1 c8 k6 d1 {/ uIn fact, its purpose is not to load/unload VxDs but only to send a 4 i* `& x& m! E( G1 V. T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' _9 v7 g9 H- o4 W$ @7 m4 o) R* Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try- A: s' {$ G; M. a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 o& T3 P2 ]& F6 o& R" B5 RIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 z {$ s9 s- E. F; m' i y$ u: Q& E6 o
its handle to be opened and then, will be detected.5 U4 s) P. [) ~/ `9 P) d/ [3 _
You can check that simply by hooking Winice.exe control proc entry point
- `5 y8 P- \( Q) Z# @ ~6 ~while running MeltICE.1 d0 G0 j& i3 [% k$ m( L. M' T
3 Z$ w$ J! Z0 I( J+ O
- c& H% D6 d# `8 T* W2 R 00401067: push 00402025 ; \\.\SICE+ K9 c7 n4 c. ?: Z, s- x# z( ]
0040106C: call CreateFileA/ \ L g4 q+ n0 e5 R
00401071: cmp eax,-001
! `( q5 k# w* {" V4 S5 S8 C0 q% h0 A$ h 00401074: je 00401091. Z' O( M* i4 d
, E Z; Q+ Y+ e
8 `9 b3 \' d& o+ F U B8 p6 UThere could be hundreds of BPX you could use to detect this trick.2 R, k9 M* ]2 D# M& |+ k! T( a
-The most classical one is:
5 a9 [8 T% [; L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) t [; V2 u) L *(esp->4+4)=='NTIC'3 z& t5 s j- C! k) r% C
( K ]7 s% }+ A% E$ S
-The most exotic ones (could be very slooooow :-(9 A' `! A |' v m( ?
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 P1 S" Q% a1 ~' n$ N: W& w9 ] ;will break 3 times :-(- I% T" z* Q' l
0 T2 I* x) j: L) z9 c-or (a bit) faster:
0 m+ {* \/ X" e BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! j! e! L5 ~/ V1 A6 F
/ R i' G* j* a3 y* e1 C
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! D% B& W' B& D5 [) S ;will break 3 times :-(
) W, i$ e5 e9 S9 G U* m8 M
! Q( t; F( w2 C6 o: h-Much faster:8 J+ @5 j8 Z6 Z$ |& t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. l& @ S8 {/ }% U' j* C
Z7 x+ C; l3 M- P. sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. H. f9 P0 E$ d7 y1 k9 l' i2 @' Q8 K
function to do the same job: N. t* i- N6 W, ^
/ c" z# a7 o$ T! z8 m
push 00 ; OF_READ0 Z& f2 m3 `4 ]6 r5 Z ^( z; {5 p
mov eax,[00656634] ; '\\.\SICE',01 n, Y; q& L/ ~1 ~, o3 o
push eax
4 O+ C3 V$ U, L( a# p& u# Q call KERNEL32!_lopen* ^# O- G# v) D) u& d
inc eax
( s3 i! \0 D+ R+ u# E+ J jnz 00650589 ; detected0 E4 G% f( p- k2 f& L
push 00 ; OF_READ: G+ m8 U4 A: S' v
mov eax,[00656638] ; '\\.\SICE'
5 k2 k' ^7 d H/ R9 O push eax- s& l P* a* d& N2 s9 F4 {* }
call KERNEL32!_lopen% o& y U- P) O
inc eax
1 R( e8 D5 n( \/ E% {" S" k( l1 k jz 006505ae ; not detected& M2 C0 n: U5 }1 ]
+ V/ x- d5 w4 ?
, j3 I% D$ M3 b% b
__________________________________________________________________________1 T# s8 R9 A. n+ e' H
- Z2 L8 T1 n/ _. Q/ FMethod 12% Y& g) `" s8 L' H/ r: \" r! k
=========8 ~7 c0 }; H2 ^
6 C5 F& N! G2 E5 E2 |. Z: `9 kThis trick is similar to int41h/4fh Debugger installation check (code 05/ d0 _3 V# l7 r8 _( `9 q
& 06) but very limited because it's only available for Win95/98 (not NT)
# U1 T+ P! }: t3 b0 Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' U: j- ]: ?5 F- I- K% Y
2 }4 @& ?& K" x2 l push 0000004fh ; function 4fh
3 g7 F% R3 j. r" e: r3 ^( m push 002a002ah ; high word specifies which VxD (VWIN32)- x" K' K8 l" A: x
; low word specifies which service2 x. h& Y4 h4 {( A# `" M! ?
(VWIN32_Int41Dispatch)
. T2 H; s3 {' P( V call Kernel32!ORD_001 ; VxdCall
; W! C' V0 ]: M' s2 ~' \# p- |6 g cmp ax, 0f386h ; magic number returned by system debuggers- ~. n! m: R E# ?+ n! K/ ]
jz SoftICE_detected$ S( f0 @% }; } \- a$ ^
0 Z7 d& E7 {( e
Here again, several ways to detect it:
7 L; M. ?) l [" w) M
' ?4 G+ d+ i6 h BPINT 41 if ax==4f
1 F- c4 |* N5 Y. C) q$ t3 l Y) w8 L/ F, }1 l \: w
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" a G2 R ^: ?& E* Y; X
8 o2 F, Z. V/ y# _% l0 B B x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# U7 l! c9 N$ Z3 p. q
, |7 D F% r7 g1 P4 J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) d5 {. J2 W; u, {# j5 |" m
, F, ]4 Y7 Q( `. v1 C* l( V, w- M% d__________________________________________________________________________
4 J5 d. D' b- D1 R0 C# K" |0 E0 I* X* e$ B
Method 13 ~8 o6 Y& R9 J9 c' V
=========* X6 Z; i$ K& \2 ?8 C' [
* n! u! Y1 P! U! r) |1 T a: s" |Not a real method of detection, but a good way to know if SoftICE is1 C( A) @# ~; Q/ {8 D
installed on a computer and to locate its installation directory.
, [4 F/ i" J0 ZIt is used by few softs which access the following registry keys (usually #2) :4 x9 J, O$ s8 E4 i
l( z& l3 A" b' n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- N. u# q* j( b* q2 K& D4 T( g) `\Uninstall\SoftICE! J& a2 ?2 q: w; Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, t, V2 _: d* j& N: M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) U- j# E3 K' V( u- D4 g7 I\App Paths\Loader32.Exe0 Q+ y8 ?" A+ e) d- y/ \- W2 _* |
6 o/ L1 e5 x' E: X" z/ X7 g
, i0 V4 O$ z- uNote that some nasty apps could then erase all files from SoftICE directory+ @( {9 R, B0 A' c5 |' K
(I faced that once :-(. H s. m# A9 \1 B' J0 ^8 }; j- [) ]& S
0 n" A$ }- y1 [) J" [Useful breakpoint to detect it:% n) n, R" i7 A0 _; z5 u* \ t+ H
' u+ n+ J# F3 p+ J+ e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 H1 M7 p7 g% Z" E
% g* w3 _1 h X: o. O- U- V n
__________________________________________________________________________5 e* F5 V: L' a
8 M* W1 j9 z# |% g1 \# ^# M0 f, e. O* A, q J
Method 14
4 E7 B9 }/ G1 J=========0 W0 k6 P7 S3 E r4 r% W
6 v; m0 n- ?5 \0 {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. @7 S, ^$ T8 j$ D
is to determines whether a debugger is running on your system (ring0 only).2 n. B" ]9 T- r! f- e Q$ F5 ?5 r; \
5 b. e: G3 l" }1 e# z VMMCall Test_Debug_Installed
: L& j" G1 S; g je not_installed
1 ^* Y$ [8 K. Q/ L* H3 G8 o+ q8 q: C. o
9 `/ N& H5 y% v4 F! ]This service just checks a flag.
9 q& ]! f/ f/ b! P7 }# C/ l' N! X4 L</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡