<TABLE width=500>% J& j) d; T* n. i; a
<TBODY>" g3 F! ^% B- o8 S
<TR>+ y2 I" x, c) S
<TD><PRE>Method 01
) |* t' Q6 ]0 q( p f1 b5 G=========
! {1 p" [: u& l: F7 ^- g' B, r* i* S
5 U) }% M! e4 t0 WThis method of detection of SoftICE (as well as the following one) is
4 O7 h$ U, n7 z, M4 ?! ?used by the majority of packers/encryptors found on Internet.4 c% Z0 L) M7 ^" g
It seeks the signature of BoundsChecker in SoftICE; H4 h9 ^ D5 M" @& O: U9 s6 }3 G: c
# X+ K. R( a3 k- {" k' l5 @
mov ebp, 04243484Bh ; 'BCHK'; z1 E9 Y# @) x9 q; F1 h
mov ax, 04h- ^2 N5 S# j) Z( }! A6 P0 a) {, v5 n
int 3
) l/ v* o1 C. r9 q7 @ cmp al,4
: R4 Q: Q( g5 ]4 `) ], \7 z# n0 g jnz SoftICE_Detected; d6 _' Y: c. c; e K: ^
* p4 P, y8 j7 k5 [
___________________________________________________________________________' N D; R. g! z, y0 W" t
, Y# t+ b! P! z4 M1 J1 Z$ ]) ]* xMethod 02" P; F; m5 f) t! q
=========, ~6 r. M+ B6 K1 ]* c% ?4 |7 A# k0 d
) D9 B0 a( z/ K2 i4 P2 tStill a method very much used (perhaps the most frequent one). It is used
" v9 R! \# C* u6 t( r2 B! Bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; \+ @$ X8 Q1 g; I- ^or execute SoftICE commands...
1 o" u2 o- ?9 b& i) C/ iIt is also used to crash SoftICE and to force it to execute any commands" O" K" N( @2 g) n' ^
(HBOOT...) :-((
/ C# S2 J) M) ]7 A" X9 \1 M X1 B6 L$ f: C2 o
Here is a quick description:$ Q4 p+ A$ |& I
-AX = 0910h (Display string in SIce windows)# m# D0 c$ U0 @8 m0 }$ p) A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; M2 a9 ]9 n( Q* m- R0 }-AX = 0912h (Get breakpoint infos)$ C9 I% V4 F+ b
-AX = 0913h (Set Sice breakpoints)2 X! @; Y) H9 I4 k! z
-AX = 0914h (Remove SIce breakoints)
, m+ z- [" G( y/ `; {+ M
* W; w4 Q$ `9 w A- EEach time you'll meet this trick, you'll see:
& g4 t* ?- I/ H: c( o. z: Y9 i-SI = 4647h
& ~# @$ d4 C4 O$ _9 g/ B* k# l-DI = 4A4Dh
9 Q2 n% y8 _7 _Which are the 'magic values' used by SoftIce. L, h, w$ `, j6 ~( W# _( ~7 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 H+ q; Q- |3 r3 u+ E0 B
% s! r; ?' ~4 \6 \& B- |
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& |9 S I; G$ w7 \) ?/ pEnvelope utility use to protect DOS applications:- [- I: B% O8 A; c& B
/ I4 G1 J6 K3 k( p7 ?
8 x$ Q9 E8 l* @: l: {' n9 ~4C19:0095 MOV AX,0911 ; execute command.
+ q2 I& X" i) t" R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* v8 p7 M% u- ^4C19:009A MOV SI,4647 ; 1st magic value.' P8 d- f' E% y
4C19:009D MOV DI,4A4D ; 2nd magic value.
\8 y4 {" L5 S7 S. v' T* ]% z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 o; O. X' r8 a+ e( O/ I6 }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- o6 g% S6 h H7 `" {4C19:00A4 INC CX
8 F- Y* @" T9 U: Q, s4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! K. ]9 ~( N" k+ e( @0 u
4C19:00A8 JB 0095 ; 6 different commands.% W2 k" b0 k2 L, x7 E0 x. H g. s" Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- z+ O7 }% n# m3 e) K) G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); V" V+ b1 x9 N
, D% u! ?& `6 J f7 bThe program will execute 6 different SIce commands located at ds:dx, which! \! j6 y9 r# i" a! |( ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" ]% H' s! }5 B I1 L$ [% _/ m: l, h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 `6 X' w3 E7 v
___________________________________________________________________________
$ Q# `% t. ^% s: \+ n& s% D) |6 k3 u" o$ H
8 o* X$ x; d! d
Method 03! J4 ^3 q* n/ m2 T- u' o- R
=========* X! u9 f' a- Z: C
0 E: k$ m8 v4 H$ K, S6 s6 oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& h3 s) i7 ~ _( N: Q5 f2 |* o* _
(API Get entry point)
7 [+ D. _: R" C# e: ]% f7 l : y3 Q( [2 R: p8 n9 I# v
3 F3 F" h9 p' `) c" k xor di,di8 l: }' U) ?! ]: v' v+ G8 e+ M% I
mov es,di3 ]* p% b. [$ {5 z2 o0 k: ?* c
mov ax, 1684h
0 R6 p/ _" H$ Y4 X mov bx, 0202h ; VxD ID of winice. S6 ^. {1 O6 }
int 2Fh1 j, V# _ @- R% w
mov ax, es ; ES:DI -> VxD API entry point! J" r! z, b+ A" Z( k, m& w+ _; w
add ax, di
$ R# g( d/ h3 a( S6 s test ax,ax
, ^ f/ i8 L; q1 h jnz SoftICE_Detected
" F5 ^" D, v# a# ^
9 S% @- |! m$ R4 N' Z+ P___________________________________________________________________________
7 e8 Q* D# \, q z) J) I% ]" G) y, b9 W3 p; j) c
Method 04! a/ a4 t) w- k: m/ `, x$ C) x
=========5 l) P4 |! k# C% W" i {8 u
: o4 ^1 x. U" h& X8 u1 L0 b! `
Method identical to the preceding one except that it seeks the ID of SoftICE6 G/ d7 f; }2 E# w+ G- ^
GFX VxD.
: R( v" U% l @4 O: i; v: N0 S* f) K: A _/ ^8 m- m
xor di,di
S* i1 \; B6 ` mov es,di' [: [3 k2 m5 I8 K
mov ax, 1684h $ H- z* Y# X) s
mov bx, 7a5Fh ; VxD ID of SIWVID% K8 T6 l. @5 t' X% v7 G
int 2fh
! \6 ^: q( G* d6 {. @ mov ax, es ; ES:DI -> VxD API entry point: n- Z! q* @5 W8 ]7 B0 r/ a; k1 y& T1 [
add ax, di
. b4 ?' l: t! J' E% R2 `5 G7 ] test ax,ax; ~% O0 k6 n8 q4 A
jnz SoftICE_Detected
& m. T9 F) i( C2 h$ B
& F. x8 C' G: G) F% v! I__________________________________________________________________________
$ }6 @( q" a% J7 s- R( k9 U$ w. y9 w
* i/ j& K8 S7 w5 |! G
Method 058 N$ X( I8 S' A- H# X* Q. K
=========
; x; v' G- X/ y' L9 l9 y, B
1 N& m7 ]: w) d/ s; n" v) sMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) q0 m4 y, ?' b9 C9 F" C" Jdebugger. It calls the int 41h, function 4Fh.
# F2 E' T( Q. @4 P; D4 n P. WThere are several alternatives.
. M! T3 O& V2 {9 }+ q
) Q1 o: q# d2 N- q# OThe following one is the simplest:) V) u8 R& x! \8 f$ O. s
: `2 G% z) ?" e2 J4 a, D9 `
mov ax,4fh+ L8 W7 c" y$ n( t
int 41h" s; S) v- l, p! X; i
cmp ax, 0F3869 u* Y4 R' c& m& W* B7 J
jz SoftICE_detected: A5 T! j& p4 }7 P
0 E% h+ Q8 i, ^- k4 d! i
7 I3 r5 I- c; Q5 |) B
Next method as well as the following one are 2 examples from Stone's / c: I5 u9 X! g' I$ o' t
"stn-wid.zip" (www.cracking.net):
9 e" v9 n+ J- I) X- {* D
: G5 i' G# q+ M3 z! B1 d, J! S mov bx, cs7 p W g, e7 q7 f6 m( y
lea dx, int41handler2
. m3 ]8 j% o( Q/ u% W0 k xchg dx, es:[41h*4]& k+ I' X3 e0 ?( ~
xchg bx, es:[41h*4+2]
% N: n1 |8 q1 A mov ax,4fh. [* ^8 j9 r8 C, T3 P
int 41h4 N/ m8 x9 [. \& L% P+ h
xchg dx, es:[41h*4]
$ f4 K4 O/ E a- p xchg bx, es:[41h*4+2] M$ a& u4 o+ H# u8 W0 a
cmp ax, 0f386h/ p0 j" s. [! B- `2 h& T; L( C
jz SoftICE_detected3 ?- h6 K/ u; A' a3 ~6 y
@4 P E5 q0 i; Qint41handler2 PROC6 Q9 o! d( p) P
iret
6 i( J8 K. p6 Z$ ^1 D" V1 ~6 Gint41handler2 ENDP( Y& q( W& @' A* I" v; z
1 g. J9 S4 r- t1 A$ s1 G4 ^9 ~$ g: K' D# B# [$ g8 l* V1 I$ K
_________________________________________________________________________
( o! W: {; d# s' E9 r6 O
, N- V7 W4 {# G+ ^7 e
; b# Y8 H+ B6 M+ XMethod 06
6 R( c% s4 M: c2 _! X+ q+ E, C=========4 z- U6 m5 S) B) y
8 S- `/ V' e. y' I F, ]9 U9 H) b9 L: y. F" e
2nd method similar to the preceding one but more difficult to detect:# V. G. v- E$ Y$ ~: ?# h4 F
4 L& V% u* x2 t- f0 |# e8 z
8 l" w( M5 v' S
int41handler PROC
/ e" x; D& J1 k6 t, j mov cl,al$ H E/ \0 j. v, z
iret# P$ v5 {0 `6 r% j3 |- ]0 c" n
int41handler ENDP
, M& c8 ~. f. i3 C8 |; }& c
! l* L0 y( ?& X. v3 [" N; [2 e7 q8 ?4 m! u. ?3 l' B2 z
xor ax,ax" C6 G6 N$ D2 r8 K+ @: {
mov es,ax
( N+ ^/ D7 N, K mov bx, cs
' x3 s6 D- G- [ lea dx, int41handler
' q1 t9 p. |; s; z1 E; R0 p xchg dx, es:[41h*4]
7 [9 y+ `6 {3 i1 H( ^# `; A2 @ xchg bx, es:[41h*4+2]/ T6 Q1 k; ?. q0 h+ k( d
in al, 40h+ P; O2 V5 O% j
xor cx,cx
' A4 {& @/ ` t3 j0 `1 { int 41h
+ c0 \# x J9 q. X4 e) w$ Y xchg dx, es:[41h*4], R& ^. Y7 i/ ?$ H6 R& b
xchg bx, es:[41h*4+2]
0 B- j2 D- }+ } cmp cl,al
' k0 t2 `, K8 K% ^ jnz SoftICE_detected
/ j1 t' ^3 d$ J- L- I2 d8 f; n
' ~) W+ ?6 p2 T" G @_________________________________________________________________________2 e7 }! z4 [7 ~" ]6 M U
* R# V- L9 e/ CMethod 076 l$ N7 ^3 N q+ D* Y/ d- l
=========. H* e; w# J) n& X+ N/ a
7 h6 v+ \: s) o
Method of detection of the WinICE handler in the int68h (V86)
8 p0 m Y! |0 F& _6 N. O" J5 i) E9 J" H/ I- \. \3 T
mov ah,43h
' }0 \; J8 r+ ?( W: ` int 68h$ m3 P ]% s& n6 p9 G
cmp ax,0F386h
0 U4 n* q# W# I! Z jz SoftICE_Detected: R1 v& J6 _0 W
4 [4 k L: S' R& e+ E; o
, {( U' V8 w: G/ B' u8 W7 c( T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 n5 w+ E6 s2 x, Z4 K0 e& d
app like this:
y# p0 G% K x1 `0 n1 e3 d& W, {1 M6 z, |- a7 O7 ]/ U
BPX exec_int if ax==68
0 }1 f3 { I: R( v2 a: M (function called is located at byte ptr [ebp+1Dh] and client eip is
, z$ w$ @5 t, g" j, j4 w5 S" |1 o located at [ebp+48h] for 32Bit apps)9 {1 M+ _4 N+ N" h
__________________________________________________________________________
7 |2 D; {! ]) c, B8 u8 H% ^
! z; U7 M- P3 I. N5 b: h T v# F0 v: l+ b
Method 08+ |; \; a$ d- ^
=========
$ |! [2 N4 j: R C0 m6 J; c4 _2 {+ [3 O0 y
It is not a method of detection of SoftICE but a possibility to crash the! F9 |1 E3 {% V" L) @: X! c' n
system by intercepting int 01h and int 03h and redirecting them to another, i% `* r$ r. N9 H
routine.# a% H/ F8 Q8 h m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ z7 X2 A' U: ~. `. ]
to the new routine to execute (hangs computer...)
# }# r- ~( W, _8 b( Q$ I1 A1 e, [/ r
: _$ J P5 [: b mov ah, 25h
6 q( Y( h. W" s) q/ u0 n, l mov al, Int_Number (01h or 03h)
2 P+ Z1 K+ ~9 ~# i mov dx, offset New_Int_Routine
. Y7 R2 m2 d3 M* I6 y) a int 21h
# K; ^/ f/ ]- H. _ V
& h3 q# k k) a( e L( N__________________________________________________________________________
- n4 [( P# x" i) y, Z4 h2 u' g/ g) ?, c+ D9 `! L
Method 09& k: u: e8 `8 g2 M# j$ N
=========
4 X; p0 G4 O/ A, i
9 S/ u; f! [1 `" K9 \1 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 |2 `5 ~' R5 l8 p k# ^
performed in ring0 (VxD or a ring3 app using the VxdCall).
( a5 k/ y( r, S6 |The Get_DDB service is used to determine whether or not a VxD is installed. U2 q3 [/ |" `5 r0 ]& a
for the specified device and returns a Device Description Block (in ecx) for2 F- I, y: a. H5 \/ h) m6 N6 j
that device if it is installed.7 Z* p. D) b7 V2 H: s
# ?8 x4 [8 g! M; {. s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID ]8 F0 b! x5 [$ r9 f: o; B
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). A: s; t3 `3 f' }( |1 R" T4 J
VMMCall Get_DDB
1 s, Z2 w: E. y8 b1 X; [! @; [ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 ?9 K; H9 P" Q8 E7 } `
1 S0 o0 K) h! j3 X
Note as well that you can easily detect this method with SoftICE:
6 L2 [0 H' _: }& Z bpx Get_DDB if ax==0202 || ax==7a5fh
+ s0 k' X. x8 Q& `3 H4 h7 O B4 y& F6 T
__________________________________________________________________________# |( c2 o* c9 p8 m* r' o5 u, X
$ n; o6 ~% v4 Z6 C0 @
Method 101 m3 p" j1 ~7 r! _
=========
8 h3 C! P) [; e$ ]
; i* I3 K# A) v! Y5 N8 U=>Disable or clear breakpoints before using this feature. DO NOT trace with7 i4 @! X0 r2 O+ b6 g- F
SoftICE while the option is enable!!, t: }! ~ u! c# v9 y6 ]! r( O; @
4 d3 D( }1 f+ R1 @& ~This trick is very efficient:
$ Z- b1 S) e3 u7 D% G. Nby checking the Debug Registers, you can detect if SoftICE is loaded
: O4 E9 x: {/ r, ~- e4 a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 l+ P+ X( b# a$ n/ E7 \. {! p
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 c, b" f/ x7 e% H$ zvalue (in ring0 only). Values can be manipulated and or changed as well
: T. h3 j/ V) ^' w$ u, a0 x. {(clearing BPMs for instance)$ O& c: i! ^: ]& M
( p0 Z/ ?9 ^% a6 {/ O% t: d; H__________________________________________________________________________
( Q* ]# W: t2 i/ k) O
; u/ ?( K5 V3 i0 E8 @" j7 ?8 tMethod 11! f! e" v8 r, [; k' m. M3 R
=========
/ ~! g; L, x8 }: G% T! b& _; S/ x% H V; _7 P8 x$ K
This method is most known as 'MeltICE' because it has been freely distributed
5 W7 e4 L9 A5 s& R- L% {& Tvia www.winfiles.com. However it was first used by NuMega people to allow
- h4 T- @2 C2 {& H( F# PSymbol Loader to check if SoftICE was active or not (the code is located4 g0 T8 p8 w0 x2 A) ]$ E
inside nmtrans.dll).4 B( {3 ?$ t* w. v$ z
2 O, x# k" l ^$ {& d! W) f$ R4 R
The way it works is very simple:
' h3 c3 Q$ r, \. aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ O3 C+ x( p% z/ u, l' }* Y! IWinNT) with the CreateFileA API.: A4 y% ^4 f/ d% S3 ]
1 }( F( u& Z0 _8 A! z' O$ WHere is a sample (checking for 'SICE'):: D' ]3 K) y; J7 ?7 b
. s P c$ q8 J0 l( |
BOOL IsSoftIce95Loaded()
6 J6 K% k* C/ [. f6 _{; v9 V/ ]" |; l0 j
HANDLE hFile; 8 m! N0 ]7 X: a# \5 h
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ W6 g8 p( D. R, {) u' U: f: M FILE_SHARE_READ | FILE_SHARE_WRITE,
% E7 q& Q# l4 x5 F' f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ d, T; j V- F7 X; ?* Y8 h; b if( hFile != INVALID_HANDLE_VALUE )
0 ^& j9 _* B9 D/ ]8 T4 S. H/ a {8 K' t; ^4 m3 v& [0 S$ N: P4 W
CloseHandle(hFile);
* k4 b: _) B5 G& `, p3 B, B return TRUE;* l9 x8 J1 P( ]: y+ p
}2 N+ E) @; v# L$ K ]" c; h
return FALSE;4 }6 R8 E& [! i* Z+ A0 L
}4 P( o6 m$ p9 L
6 R' F" M: _* B: \8 h# R
Although this trick calls the CreateFileA function, don't even expect to be+ f- ^$ i: |' E* u$ x1 m" L
able to intercept it by installing a IFS hook: it will not work, no way!8 v; f( o* r6 H! l3 I: `; C; [+ \% n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 k8 Z& w! h( A2 P: Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( v. A/ r# I5 n: T/ ]' b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 L) l- O! u/ y0 Y
field.
3 U# e6 m9 P, X$ K A- d% N9 qIn fact, its purpose is not to load/unload VxDs but only to send a
0 }) S4 h- }, B% LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ b J( t4 j9 v2 Q6 j( U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 f% p* j3 G$ ]( B, z. R8 D2 t* F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' Y6 L4 V& v6 ]/ {/ `; ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% x% i3 y, P0 U) Pits handle to be opened and then, will be detected.
! T: K3 _5 x" jYou can check that simply by hooking Winice.exe control proc entry point+ w- ^) N% `- l. H+ F
while running MeltICE.
$ `- Z7 t2 r0 [/ G) n
& f+ H k3 _2 M% N5 X }9 E4 K3 G2 l$ r
00401067: push 00402025 ; \\.\SICE
$ V) g3 z @" B2 M 0040106C: call CreateFileA2 M' j. m$ q+ O% O0 ~
00401071: cmp eax,-001
; ]" L) `: y2 Y0 M' N 00401074: je 004010912 J% J4 b u' w& p; \( I
2 i c# g' X1 T$ j2 [9 b5 Y
9 S: a3 d" q6 W) Q5 }: L
There could be hundreds of BPX you could use to detect this trick.
9 T. a1 R0 k# y6 i7 f-The most classical one is:% ^* `- S9 C0 l$ K1 E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 H% b( p6 p* A* v
*(esp->4+4)=='NTIC'
+ @9 h' j- h3 @( ]$ e: W$ {2 L
% b$ o" z) `+ P6 K-The most exotic ones (could be very slooooow :-(2 [9 Y3 F9 ^( y5 B3 ^" O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" p2 O* M& N! Y0 s4 ^: R ;will break 3 times :-(8 q# B3 p: o0 g$ Z
2 V9 l6 r4 v3 P0 R& D' G* y1 i
-or (a bit) faster:
1 {/ M# E2 b* n( D! g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 t. J( u% f" a4 F
/ a3 |' u2 F$ R8 |+ s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 o$ X. ^/ D# o+ O ;will break 3 times :-(6 h& G. k3 m8 T/ t
$ o1 I _% W$ X/ d: Y" {3 L8 U
-Much faster:
$ @5 S* R! |! ]0 [- D+ ]7 \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 h) A" ?2 s4 C# X( [3 F% `
% f3 P. c: o3 O7 M/ G/ l; S6 INote also that some programs (like AZPR3.00) use de old 16-bit _lopen, d/ j$ ^# [1 @$ |# V
function to do the same job:% y, t- ^6 v1 M: q, O7 c8 U
. ] {* S* H7 L; P
push 00 ; OF_READ
* @3 M: b! a8 Z4 |1 N mov eax,[00656634] ; '\\.\SICE',0
: J5 |1 Y' ?0 L push eax
. ~$ m& V( _9 a0 d call KERNEL32!_lopen. ]; Q4 d( x8 `+ M8 Q0 }0 T
inc eax
& C2 W( |9 b# f- `& _( D- r jnz 00650589 ; detected6 Y1 L* B' _' d. x' x0 L6 o! B- v, d6 i
push 00 ; OF_READ
' G- v G1 O& F2 t4 H6 i9 O6 Z: y mov eax,[00656638] ; '\\.\SICE'
# y- ]- _* @/ s7 r9 ^7 n: j# P" E push eax
0 ~9 g0 @$ B9 z( M( e5 `& x call KERNEL32!_lopen' n$ e& m) @4 ]9 {
inc eax
6 t5 x _# Y% t8 G5 | jz 006505ae ; not detected u; }) \% Z( o; v& x% L
% q, I/ m5 y2 V; ^- \ v9 a' r8 e
+ p, O- B8 A& n# D% f# P
__________________________________________________________________________; b! H. e; V4 C e1 B3 d
- v G. c& J8 Y O$ ^& K2 ?Method 129 r$ a. q4 z; W m( [# m
=========
; A! l; E7 S: e: J" d7 K( ` F
, k- m, o) w/ l# w' {This trick is similar to int41h/4fh Debugger installation check (code 05! K0 I! I9 i4 Q- p
& 06) but very limited because it's only available for Win95/98 (not NT)
! j" y* u# A6 a. F( t* i: p/ kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% U0 r9 R4 E7 k' J2 E5 h
# X6 r5 n7 x+ _5 h push 0000004fh ; function 4fh
( T4 @& q, T+ ]3 ^9 K: |3 Z7 W" d push 002a002ah ; high word specifies which VxD (VWIN32)
0 i* H' X! B- D* y: o$ x ; low word specifies which service; e6 v/ q* Z Y& W% y: `+ f
(VWIN32_Int41Dispatch)
1 R0 @; u/ H9 x" P% s+ E call Kernel32!ORD_001 ; VxdCall
# L6 {6 m! S0 F/ q7 e( g cmp ax, 0f386h ; magic number returned by system debuggers% j2 }0 M1 g) l1 c2 T
jz SoftICE_detected4 A3 M. T, [* U: D2 [4 j5 [- }
1 Q9 v$ C3 {+ P, [Here again, several ways to detect it:3 r& A7 k/ `6 |3 s& a9 Q
# ?) |7 z( D/ @! V BPINT 41 if ax==4f
7 J/ H( B& }. j# G6 S* s$ A! G" u+ c: A* z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" O2 ?3 g4 p( ^# U* e4 _
$ n) `& I& ^/ A0 ` }& Z) u BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& @' k$ [, z& V7 @( ^; s
6 M# ^0 f! Z1 N V" W3 x$ X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% n) Z* ~7 Y& d4 o/ x# P7 C1 ?
7 ], {+ G2 o- F8 q$ ~__________________________________________________________________________, c$ J q* F7 Z3 E6 z
+ ?5 A# h8 M7 t @# @9 B1 MMethod 13- ?5 e, e5 B3 \% T8 `; r# U
=========
$ b. T* Y: w; `+ \$ h$ X9 e) I- q/ W
Not a real method of detection, but a good way to know if SoftICE is
* j* N9 \; L9 c" Pinstalled on a computer and to locate its installation directory.
" S1 Y' N: ?# E3 L* B3 dIt is used by few softs which access the following registry keys (usually #2) :
. L, c" K% y2 |" [- n: r# [5 o* w: r. l7 s0 h% {5 B! Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' c7 q' B% s* y0 A9 g1 R\Uninstall\SoftICE
4 n+ w- X3 A4 y' a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 L& u! a4 d8 e2 e# ]' k0 r; D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ P1 u: L/ F% m# ~3 K
\App Paths\Loader32.Exe3 i- j& u! D) h6 g( w, s
! Y; k; C% d1 ? V( d) ^1 W1 r. B8 U* r* l6 Q
Note that some nasty apps could then erase all files from SoftICE directory
3 @3 Z5 K& Z0 ~, L4 T(I faced that once :-(' y- s6 X" `# K0 @* K* q: [! [2 S
, k0 h5 J6 ~# \# pUseful breakpoint to detect it:0 q# P. k+ X+ ?4 b- x# `% U
' x( s+ n: A' ^9 [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% c! L' i. s% t
2 |/ W* c4 |; E+ V__________________________________________________________________________
$ k, Z. l( t. y1 V) V: L L- ?9 v; w* i1 H& a; p9 z3 i, g4 p
1 N' S* I( F# j0 v2 q3 x6 J* c8 k
Method 14
! P+ M" F8 N3 B7 j0 ]* A7 ^=========
0 R7 u% M! l e X
$ _! P3 m7 X0 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 I, m# g% U0 ^/ P7 tis to determines whether a debugger is running on your system (ring0 only).
0 W4 S/ ?% f; Y: b! b$ V7 m! u/ U
( j5 p1 C% g# d" H+ T5 s n VMMCall Test_Debug_Installed- `6 u0 i# J4 L
je not_installed
( c. X$ y/ _* N2 |! ?0 Z9 } ~ i; [
This service just checks a flag.
# h- d$ H1 y, l5 j9 n3 c9 @</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡