<TABLE width=500>
, | x, ]- }8 z/ u% u' |9 U<TBODY>$ g( K% q* `) E
<TR>
; \& }7 o% u% ?* S1 o+ f<TD><PRE>Method 01
% f8 v9 i8 O5 i1 q, t0 @( _=========
0 N [0 f' w) g$ y& n/ n' ]9 e% P3 b" w) o
This method of detection of SoftICE (as well as the following one) is
4 m6 ]; K! ~4 S+ uused by the majority of packers/encryptors found on Internet.2 f j& g$ w0 g! A& h% V' r
It seeks the signature of BoundsChecker in SoftICE. I! N2 b1 t8 j4 c+ f
, }$ k4 ^: f3 i& v& S% I9 ]4 i8 p
mov ebp, 04243484Bh ; 'BCHK'
4 X, ]/ s: L; Q8 Q$ q3 Y9 d mov ax, 04h* B8 C2 ?% l$ V0 s
int 3 7 ~/ c2 _5 K9 V8 Y- i7 D& v B& R
cmp al,43 d/ j; o% ~) C' Q w
jnz SoftICE_Detected& h3 p3 b) `. V
6 G4 G( g. ]4 ^2 i___________________________________________________________________________3 O5 _( z |1 d
0 {6 s0 F2 f+ |; |2 n2 e b. wMethod 02& S; o9 |8 k8 K8 K. N. G3 k: F. T
=========
1 e. |& a4 s( N' u% j0 k& d
3 q6 E- q! t. J1 bStill a method very much used (perhaps the most frequent one). It is used
, t: N, _4 t2 V1 S$ ~! [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 ?. P5 B* V2 k8 W# kor execute SoftICE commands..." K8 r/ B/ j2 C' T! S7 H( u+ I
It is also used to crash SoftICE and to force it to execute any commands% Q- I' U5 o2 d& L+ W; U5 W
(HBOOT...) :-((
: {0 j: F/ [: ]2 o8 @8 w
; ~- {' |2 L. M& u( vHere is a quick description:
0 O! m5 f. D2 w9 v, E0 X5 ]-AX = 0910h (Display string in SIce windows). K% g& U B6 g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 U% n2 r- y0 ~# a8 E8 M3 d! Y
-AX = 0912h (Get breakpoint infos)3 Q1 ?3 |- ]1 L, C6 v; ?8 Z
-AX = 0913h (Set Sice breakpoints)) T* S2 {9 |5 m
-AX = 0914h (Remove SIce breakoints)
& q! a) u3 D! v! w) J* N8 S7 g
4 `7 w7 p3 z7 I) t. PEach time you'll meet this trick, you'll see:
! r5 |- g& r* R. N3 `2 ]' T-SI = 4647h% a# y- }9 Z& h, p( _' x5 s& Y1 H
-DI = 4A4Dh: V# P. [# K4 l( V2 F/ l
Which are the 'magic values' used by SoftIce.! r5 A3 M- z5 s& w$ Q6 x% Z& r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 P2 o* u% v. o' N/ x; ~
3 q# D6 D* X2 E' h% h! HHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ e. B. e. m& SEnvelope utility use to protect DOS applications:
2 V; X/ Q2 M: @/ l' U! }! {; b
5 a* |5 V- q( E! K8 ~2 ?: S1 j) U8 b I3 B# S9 z
4C19:0095 MOV AX,0911 ; execute command.) b H) F- q+ O1 v3 s5 \5 n3 O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 A: {1 b$ o3 Q
4C19:009A MOV SI,4647 ; 1st magic value." ~7 K! Y o4 X! r
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 e+ {: f! ?; d ~9 l/ L! L4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" k- h* {- K6 w9 L! {! c& ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ s0 n' r8 G p( L% c
4C19:00A4 INC CX4 q0 V) L; V% u' ?9 L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: z: e0 j, R. B" q h9 w# Y5 E1 {
4C19:00A8 JB 0095 ; 6 different commands.
7 @' }# N8 S3 u. ]9 [2 }& a4C19:00AA JMP 0002 ; Bad_Guy jmp back., a4 c4 j" S% {2 J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ V$ |, Q2 l& `0 w
& h/ ` L# c/ B- y, m( bThe program will execute 6 different SIce commands located at ds:dx, which
; V$ ~: O- R5 u1 u7 Uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) Y/ Y$ j }$ j& ?- [; R1 a
2 H! H/ t% G. L a1 A6 b5 Z4 X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ h: S, g" L. n4 q1 \___________________________________________________________________________
3 ^" j& z+ I4 {& \- P- ~' v
[1 ]! l* n# W% p u! I7 D6 a/ `& I1 f
Method 031 ]1 ~0 q/ N" @) k4 l
=========
# Q+ s) S* v( n, W x) U6 X& f& a) _* f. g: i6 r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# ?8 r$ p1 k2 P6 a6 n* y% E0 I# K
(API Get entry point) z7 x* e: z U: t1 B
$ s) ~8 a: y$ \2 G. e [! d! M
\; d1 S. V! w6 a4 P xor di,di$ q* p2 a! J! f( P* J
mov es,di
. F: e. a8 T% y mov ax, 1684h . U9 o2 g0 t1 t# C' F
mov bx, 0202h ; VxD ID of winice
0 y1 f$ i+ v: l int 2Fh
8 K) d |4 r6 v/ x! Y% m* Y mov ax, es ; ES:DI -> VxD API entry point
; l, [$ m H i1 w; B. [7 X add ax, di
1 M9 @" U2 F" u# d/ Y test ax,ax0 }" v' U1 p6 r2 D* ?
jnz SoftICE_Detected2 w( Y' F2 N2 @' f6 c
, f; t7 Y( `- N. ]___________________________________________________________________________
" ^ C. ?7 Z6 p% Y2 P8 I9 `& K7 Y2 U7 ]0 Y/ I i$ z. W
Method 04
6 L! o/ r# O. O+ w=========4 E) M0 _$ ^, n! s
, _2 P) h6 |" t5 F& h$ B$ w8 u4 ?Method identical to the preceding one except that it seeks the ID of SoftICE
5 R" d" m3 e0 l# m+ J! Z% ZGFX VxD.
, L' A$ r6 j! n; U! Q% Q3 f5 M
4 @5 V: ?& |$ v& C K: r r xor di,di
7 z# a! C+ f2 a- S& e4 b mov es,di/ o# K; {$ H, D( w, U) v' S
mov ax, 1684h # f7 j& `' G9 ~1 S4 R# v" F* n
mov bx, 7a5Fh ; VxD ID of SIWVID
$ ^$ L; @% f$ L ?" j0 W/ B8 `- | int 2fh7 i$ D5 x5 ~/ ^% ~0 V0 |; w
mov ax, es ; ES:DI -> VxD API entry point# |8 G- i0 {& ]; g9 f1 v! U
add ax, di
" N1 _% e/ R2 M- w9 O: V3 E test ax,ax% V; Z ~) H+ K" A+ k; O+ H- I
jnz SoftICE_Detected
Z) Z; A% |& c4 O# Y
1 J7 h0 ^ w, F6 Z$ \/ a__________________________________________________________________________
2 E% f* V! D. O/ \
7 y% Q K4 w; P8 _* Q$ A9 O& A( U4 ]+ `0 `/ c
Method 05
7 a) e3 M, f) V" R! m& K=========' ]) W( ?. O# K3 o! E: U* {2 J
: D$ r; h/ e" p B8 o+ UMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 K n- N8 Z# ?' Fdebugger. It calls the int 41h, function 4Fh.9 S7 F' g) H. N! w" S4 l% d. q; [
There are several alternatives.
) [- e* ~1 O& P4 Y
z) w0 J7 p t, xThe following one is the simplest:
( Y% T7 C5 y8 r* i2 P+ o8 n3 S! e" t Y+ J) H& h
mov ax,4fh' k% q8 w, c$ g3 w$ I
int 41h# s7 o$ L+ \0 J2 y+ {, Y4 T S
cmp ax, 0F386
& E* X0 m- }" d) H2 k9 a& Z jz SoftICE_detected
/ i( F/ b3 b5 r# l2 R. P m
+ U/ q; F8 _, l
& U/ U6 q e7 R/ O# h9 NNext method as well as the following one are 2 examples from Stone's 1 s% Q" i& i2 U; ~: k3 g
"stn-wid.zip" (www.cracking.net):0 } R7 q7 _4 {0 i' ^. j( a
( T; L+ A% e8 S
mov bx, cs2 L7 b" ~( y3 c( y* G w$ u* i
lea dx, int41handler2
" Y6 d1 n6 I* U! ?3 ^% k9 Z xchg dx, es:[41h*4]* L, a$ L/ }) x1 V- t6 |7 j
xchg bx, es:[41h*4+2]$ I0 Y3 Z: L t
mov ax,4fh5 g1 X/ v: Y/ ?* J+ p# `7 z
int 41h
; Y5 V" e; W* Q+ t. g9 u xchg dx, es:[41h*4] P! z d; C$ r# _$ Y4 k. J
xchg bx, es:[41h*4+2] u- R+ `+ g. `
cmp ax, 0f386h
2 h [: z0 A S, a jz SoftICE_detected
' k9 w* w4 B8 P7 n/ M" l2 \7 v( a q) B
int41handler2 PROC b: a* Y) r: s2 k# L' W1 O) {
iret
" Z& X- _. n+ ~% r" oint41handler2 ENDP) N0 A( W# N, l- M. j
% f/ |, E) L3 }& ^' i( S7 K' e
' s# z& `4 C S. W_________________________________________________________________________0 h- Q# t* l0 a& N
, @# M+ _# }9 k, l8 S( Z2 X
( h, l7 D0 d# ^: ?! U" N1 i: w4 z* X( HMethod 06+ O% A7 h. ?2 i' d
=========
6 G2 U4 {6 \# {" p7 {9 A$ M
; M0 F+ Z* {( u8 E# ?
& E" h! N6 O3 {+ e2nd method similar to the preceding one but more difficult to detect:
4 N# }" }4 E/ B% Z: J
5 d/ m- q6 I' J, U& J$ ^ c' g3 ~5 q# I! J/ b2 ]' G8 B$ _8 B
int41handler PROC
( S( h% ]9 d2 v* ?7 y' _9 n4 J' \ mov cl,al
$ A, k" S. f( E1 p, L& F iret
% s0 k$ T- s9 Q! i, Wint41handler ENDP4 A% ~9 u6 |% Q- z" F; p
9 D. u7 t& F) |& ^# _
U5 v, q+ G% V- U xor ax,ax
! I+ D4 U& W, p" p8 |, X mov es,ax6 y2 O7 Q2 r8 }/ y5 L6 I! K( E7 U
mov bx, cs
n# N7 o3 d( v! z5 A# Q5 c lea dx, int41handler# E$ A# f# m2 D1 A1 _! Z9 T0 n1 G
xchg dx, es:[41h*4]
6 S% l x/ M' o. @ xchg bx, es:[41h*4+2]
$ o7 f h) J0 s i. k, m) X in al, 40h
2 l: S/ S2 ]# Q% a3 x xor cx,cx
7 s- j- e8 Q% m0 ?+ j Y4 e( e int 41h
' D! e c1 b9 L% k8 Q. o xchg dx, es:[41h*4]9 J8 \) ^' L7 m. q, W
xchg bx, es:[41h*4+2]
# J! |) _7 h" B cmp cl,al
9 V1 U `; i0 Y6 E2 M. d jnz SoftICE_detected
9 E! F C6 v9 U
. L) ~" i6 k$ e/ n_________________________________________________________________________5 w# J3 a; _+ |6 E
2 `8 g8 ?7 i9 L
Method 077 L; F0 ?7 l0 y
=========
9 {% K& O, {, l* \4 N: s7 N, `8 p6 y+ U! O" l& O I4 a$ Y
Method of detection of the WinICE handler in the int68h (V86) v- M, F% m2 a1 H# E8 ]$ z
6 x3 B& [) C- o' X' [ k( O4 l. x" Z
mov ah,43h
4 l, r. w* Y) F2 ^8 \ int 68h
# V, y- |* f5 W: }% V- J$ x cmp ax,0F386h
$ ~, z3 z& a) G7 k3 ?. @1 h0 w jz SoftICE_Detected
% U% F1 N$ d% Y& Z% Y2 |% V6 C0 I& a" }
' U" Z) J/ g3 Y0 o9 D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& q7 N7 \% v$ [: ^
app like this:
9 J/ s: j9 d5 A4 m) T4 \
- }7 _( ]4 N% S8 B BPX exec_int if ax==68
. i7 h7 G) H$ _, ]7 i" T; r5 ?% Q7 u2 n (function called is located at byte ptr [ebp+1Dh] and client eip is
7 z+ ]# S& f+ H% M! U" ?; A located at [ebp+48h] for 32Bit apps)
% A* }% i3 c7 a. x__________________________________________________________________________" Z' `3 d# |1 p9 w
i' m# `: `8 z( h* j. A$ Q, c
3 W* Q6 h' E- j d! vMethod 08
* P4 E6 u) d% _, R) @4 G=========% N6 B3 k) w3 l- \! q' u3 T
% j# e3 u; R7 n, I. o) S
It is not a method of detection of SoftICE but a possibility to crash the
0 R+ e3 j, ?8 Z3 g9 h7 gsystem by intercepting int 01h and int 03h and redirecting them to another% k: m/ O- v: _& f7 Y$ c
routine.
/ m& f) B* {8 {# z# y8 L) S: t$ cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) m" }- p$ V0 {6 S, Q* Mto the new routine to execute (hangs computer...)
, O# g$ v8 R8 L+ x4 Y, D( ~6 b2 z* h' g5 ?- \
e9 M0 S' P; J/ U# T mov ah, 25h
" _2 I: z1 }) i- R* R mov al, Int_Number (01h or 03h)) a/ M" B: c1 f7 |0 g4 C0 C
mov dx, offset New_Int_Routine
) h: h" U6 z- I3 H* w% [ int 21h
0 r5 y- T. D( ]2 l
. ~9 l( E, o7 K9 e6 Q0 l__________________________________________________________________________9 G9 e0 w0 _- i+ Y
x# P: E) B6 `4 i: a5 b
Method 09; L p) M7 J4 g9 V7 H
=========4 M, V- ?/ v6 b+ E \- M4 P
9 \5 H$ r; N$ |$ Q& k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* @0 ?3 a+ \* _; H$ j5 Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ s6 B ~+ d) |The Get_DDB service is used to determine whether or not a VxD is installed1 i9 s2 l9 j" N9 P# j& B
for the specified device and returns a Device Description Block (in ecx) for
$ h3 c4 d0 Q" l" a4 N" Rthat device if it is installed.. P, _ e6 @# r3 `1 q, a
5 c; u6 l8 K! ]' E1 P! C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) Y# f" Z) Q5 P! s. U. X1 T
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 R9 i+ V- k3 j; F+ G' A. } VMMCall Get_DDB6 {/ K% [. i4 g; I4 x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, R/ s/ u0 U% x: Q) k0 f- ^
" l0 ^2 \1 i# JNote as well that you can easily detect this method with SoftICE:5 [ n4 C- A! l
bpx Get_DDB if ax==0202 || ax==7a5fh
4 j$ S; M$ C; [9 M* P- b; |" d* H# w0 z0 o8 A/ M% O
__________________________________________________________________________& H% r3 a# f. y1 Q. h
: U, p* _9 M. ]' n0 `
Method 10' j0 F' n b4 K( Y* i& F
=========8 A" x. L9 P# W( [% H
, |4 l }- |, z=>Disable or clear breakpoints before using this feature. DO NOT trace with
: ^2 |9 r! I- n% \. Q SoftICE while the option is enable!!
7 `# I7 [2 [* K, x; ?0 }/ i' R0 d5 i/ z4 F/ {1 n3 L+ M
This trick is very efficient:
/ ^( v5 M4 b* B9 g+ qby checking the Debug Registers, you can detect if SoftICE is loaded
( o: e) K% z& q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ D" N/ g- y8 A n6 d
there are some memory breakpoints set (dr0 to dr3) simply by reading their. _) k7 S8 ]; ~* l- b" r! n5 Q
value (in ring0 only). Values can be manipulated and or changed as well* X+ G' I: p6 I ?3 |4 M" I" F
(clearing BPMs for instance)6 d$ E5 t2 p) T% l
9 x' x0 a! D+ i7 K$ h" \0 C
__________________________________________________________________________
3 s- x x- e3 [1 S6 u6 V# m( F, h8 P! F: P; x' \
Method 11, G* T3 H0 V& R% k! y& i8 c( Z7 h2 l4 m
=========
4 z# O/ Y5 f, k4 K3 P# \) z j% z* s# J% z
This method is most known as 'MeltICE' because it has been freely distributed
! E; l* Q# {8 B- T0 n! ^4 Wvia www.winfiles.com. However it was first used by NuMega people to allow
- n" A( F. `0 S" ^" Q- m9 jSymbol Loader to check if SoftICE was active or not (the code is located
0 h" L7 F9 n. L @7 j) linside nmtrans.dll). x9 o. O: z" k, z- I( S( D& c- T- l3 R
4 g' k; H/ O Z8 Z# n6 Z
The way it works is very simple:. a9 N6 o6 U( t. T6 V& J; h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 A' P5 V/ A6 g3 dWinNT) with the CreateFileA API.
; V: A8 W2 X/ }8 U4 f
; d [7 r# d7 K. {Here is a sample (checking for 'SICE'):
# e7 Q/ I: q' A( N* D0 F s N
( y3 I2 ?# U6 L1 _9 i bBOOL IsSoftIce95Loaded()8 g; o. h/ D+ O2 Q* d3 m7 W
{$ d$ P1 \9 O. j) l6 I* U+ c5 d* j
HANDLE hFile;
/ o4 y* l8 C+ S7 @, g; Q2 e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# G% n6 s4 K6 G" m7 m3 I( ]: y
FILE_SHARE_READ | FILE_SHARE_WRITE,
. G) Y4 O* C3 K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" g$ _7 A h+ h
if( hFile != INVALID_HANDLE_VALUE )
0 I: @) M. H" q& R% Q- { {
7 T O/ m& x+ A. ^- V l CloseHandle(hFile);
: |3 }! i- \+ T# a. h1 o" b0 L; C return TRUE;; S* X6 R/ y/ `) b1 x
}
& K5 o, j R2 { v3 m% C% O' p return FALSE;" _1 `5 x" w% h+ ?- n
}
9 l( C, g6 T ^5 Z" [/ H
7 w+ B. o) N. m: K' ` S2 KAlthough this trick calls the CreateFileA function, don't even expect to be. u1 Q) s1 H- e; _, \
able to intercept it by installing a IFS hook: it will not work, no way!* H" F- J/ [ v4 [( h8 Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- f/ r/ M& h& w2 u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 ?+ k4 v1 G% ^; | H0 a! U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ Q" M1 V) v2 G) }! I( ~) cfield.* b$ l; r3 U5 F( l+ B8 U9 j4 {
In fact, its purpose is not to load/unload VxDs but only to send a
; J) _' ^5 ^, g5 Z9 TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 [* G; G8 X, Z7 d3 f6 @
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( H9 r* Z$ e- i) W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; `- K c2 U1 y# g. _, Y1 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# s* b2 E, y( _3 kits handle to be opened and then, will be detected.9 R! ?) d3 b( J; v9 g9 Q: {" @
You can check that simply by hooking Winice.exe control proc entry point
! f( ^0 k7 M% r1 Jwhile running MeltICE./ }& t3 l4 E4 J4 e0 a
* L) Q# }0 t; \! z+ I8 _& N. {6 \, q
00401067: push 00402025 ; \\.\SICE. C/ H5 b( Y! V6 d2 c3 l* {' N
0040106C: call CreateFileA
`4 t/ y8 G7 ?/ P* z" j 00401071: cmp eax,-001# [4 R3 e8 p! [6 F. P6 L+ {. Y8 _
00401074: je 00401091
. m/ }; T; i. w% E; ^& T G( Q! M/ N# f
6 w$ A0 {- W% [, t) x3 KThere could be hundreds of BPX you could use to detect this trick.: E+ @4 C P+ d# z$ }
-The most classical one is:) ^9 R) Y0 o3 P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 h" v6 z8 l u- e8 C: w *(esp->4+4)=='NTIC'
1 c2 W4 W# M: P
& o6 h: Y. z, ?, c- y" w-The most exotic ones (could be very slooooow :-(: V+ F! d, X6 Y R; Z. k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, K# S7 M6 Z9 R% ~ ;will break 3 times :-(
4 H& ^. c7 G& z' q
& B9 @; ^+ ~" e* ]-or (a bit) faster: / T$ W8 i& Y) k0 V( T8 K
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 [: f+ e/ ]" M3 z& k' s1 J. w0 l; r% n; c4 z) T
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " I* Q8 k# I3 A9 J
;will break 3 times :-(0 T/ x: w4 q" O1 b
3 P7 p$ D1 m' u' w6 x
-Much faster:% [" D2 ^* z3 Q( h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" z% [5 t& ]- Q# I" d) u
8 }2 K5 o, u8 h; j f. PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 s5 l# R# u, j+ a2 y
function to do the same job:
; p% `0 D }+ ^# @7 [7 A, w$ b! f' i+ [: f( H& r( F: j
push 00 ; OF_READ
; I2 D9 R, ~! f4 i, V6 f mov eax,[00656634] ; '\\.\SICE',0
+ d+ d' G- ]! p T% @) ]! R7 I push eax
! h }6 @) ^6 L& T+ g# X6 Q call KERNEL32!_lopen
; ?" { d! e5 W' S k' v& b inc eax1 ~, k+ n1 e5 }" Z8 @- F
jnz 00650589 ; detected
' U7 U$ n- d3 E push 00 ; OF_READ
! e3 O, k, e, Z: D9 q0 ~/ z* S mov eax,[00656638] ; '\\.\SICE'
* @5 J& ~* W/ F push eax6 C5 r0 T- z+ s2 o! N- B9 ^
call KERNEL32!_lopen' v, j. l3 y* E
inc eax
; ^: m8 S, c% g9 l4 H( M: x. B jz 006505ae ; not detected2 q: @. N' {2 s& R6 S
- ~- P" J3 X, v) A8 I4 F
" D! d6 l$ H5 u4 d( _$ U__________________________________________________________________________
& f- n, B8 a- m% F L& ?$ ~! s5 v; [5 z5 {/ k; q
Method 126 |- s: h, l" Z( S3 a6 Z
=========* ^" B+ R2 F$ @
' e; d4 N$ O4 k/ B' nThis trick is similar to int41h/4fh Debugger installation check (code 051 B! y6 T3 u: @; |4 ^* h. i2 y
& 06) but very limited because it's only available for Win95/98 (not NT)
: c. \' E1 D, v2 F+ B; Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo. l; @) B. J" Y" [
& s$ o3 K, V8 Q& S q
push 0000004fh ; function 4fh
' v8 w' r, x& V& R& Z push 002a002ah ; high word specifies which VxD (VWIN32)! \' I! x" t$ m _" `3 H7 m
; low word specifies which service( L$ A. U& S) o! q
(VWIN32_Int41Dispatch)
! N, T5 q6 K; d1 M6 Y, ? call Kernel32!ORD_001 ; VxdCall
. H2 h0 g. L1 K2 S cmp ax, 0f386h ; magic number returned by system debuggers
. ?8 z! v9 N: I7 b1 D jz SoftICE_detected
! }1 \7 @6 o% }: b: P: b* b# _
9 P& ~1 ^, e0 Q3 IHere again, several ways to detect it:
' J# [1 z6 z8 n, m3 X6 M
# E9 x9 ~3 w% N3 v6 {- R BPINT 41 if ax==4f0 i% f$ J# M1 Y0 ?' R8 b9 f
, y6 M5 Z5 H. h+ W& t4 p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! D1 r" A% f4 F! U1 U2 O9 E7 A$ @; W: _* ?; H8 S1 E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 Z* \, P5 m- f4 n! y
/ E# P0 A( Q3 ^& t4 [' Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# O8 G( l5 R, R! i
2 t: q, p, v6 m4 }
__________________________________________________________________________
; v5 l& `% V: B
( N9 m6 r% u- R( }Method 13
. y) v! [( P [ I, C=========
8 Z' s/ Y$ ?+ k9 r. R9 d1 _0 u0 a/ T/ N2 ^) B% L! B) n: G [4 T/ V# C
Not a real method of detection, but a good way to know if SoftICE is
) e2 _) z+ ~* q2 ^1 K8 Sinstalled on a computer and to locate its installation directory." A5 v7 q7 t6 p$ |( W9 e# c
It is used by few softs which access the following registry keys (usually #2) :
, y" D. i6 Z9 \. }. s B2 r& j; Z) b0 ~! g* B0 v+ C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ d- I4 I. F$ K: p: d& b" n\Uninstall\SoftICE
( x0 n: f% n3 m* q5 Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- e4 [, M% Q6 @& d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 j' }) D( F: U. i! `; `
\App Paths\Loader32.Exe9 V2 E" {. `/ [: R* S
1 s! z7 x' I6 `8 u( ?9 a3 K
# F9 }7 i) B% b; D8 o
Note that some nasty apps could then erase all files from SoftICE directory9 B0 q$ O/ n( i9 h
(I faced that once :-(4 v5 @! s5 m$ T( a/ [3 L
$ o+ {( m4 N0 f( v( jUseful breakpoint to detect it:
; y, D( Q/ p* ]# E7 f
P3 ~2 X$ ~' o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 n2 d5 M; U( k3 [6 Z6 m, y! g
) C/ n5 J" {/ L__________________________________________________________________________
, n, c) o- d1 Q P. ?
4 ?/ z" o/ u( W! W) O$ f; W& @- P" Y/ q* o4 I: Q/ n6 n$ a
Method 14 - W4 R. i# M, g) s2 B9 F( p, {
=========
1 A: A( r. W$ A; ~+ W7 {+ ^' e4 W* s' ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ A* ^8 P% U7 `! Eis to determines whether a debugger is running on your system (ring0 only).6 {6 E( C" |+ `8 b
3 s+ W# B4 k8 s/ \* u) p VMMCall Test_Debug_Installed
: H/ N N! t; d- b je not_installed
3 @. e" Y3 j' c, b* `$ G
! r! f# c+ P7 i% s% I) t5 p# Q/ _This service just checks a flag.
- ~' {( ~# o. D) N6 l0 B: {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡