<TABLE width=500>& u) M3 C+ w! ?3 p! z# r1 V! G0 e
<TBODY>. l0 _9 x7 w7 T. O4 k4 ?1 h
<TR>
: S- f, r# q5 @$ y4 T5 z& e8 H<TD><PRE>Method 01 2 B5 A$ S, U$ V* P
=========
2 g0 K" U( Y5 e/ n9 z( }- R$ W9 k& ~3 T; W8 J. e
This method of detection of SoftICE (as well as the following one) is
8 a! K, V7 _# v' Zused by the majority of packers/encryptors found on Internet.% K5 F; K1 k5 V* H5 R
It seeks the signature of BoundsChecker in SoftICE
- T) V$ m' v" o3 d$ K2 `' M( S6 d; z' Z
mov ebp, 04243484Bh ; 'BCHK'
" p) B3 ^9 ~1 A! t mov ax, 04h
9 I- @) t- Q$ h7 t/ g- d# X& c int 3
1 P8 [/ T0 ^: B/ h* b3 ^ cmp al,4
0 L3 Q* B1 D$ x1 n+ n; _/ \9 F$ W jnz SoftICE_Detected
' A: {7 ], `0 I; o3 d& y* Y. C0 K! `+ n! _
___________________________________________________________________________, g: E* m0 o+ M+ b5 l3 g
+ r" n {$ T1 R- m, B2 Z, L
Method 02
5 S3 e9 D# R* q1 P=========0 S& P( U) t- c! D: K8 p
$ c0 n3 S1 |1 |' k" o9 _, `4 Z
Still a method very much used (perhaps the most frequent one). It is used, k/ i; G" W/ U) H' T i# s8 K/ D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, E( ^- o4 h: a- a1 @or execute SoftICE commands...+ ?- \& y7 t( `* w) G+ I2 R
It is also used to crash SoftICE and to force it to execute any commands) G/ p, C' R/ F( j, }3 N+ d
(HBOOT...) :-(( ! \( j$ ?* M4 ]/ Y# }2 E/ z4 R
1 z2 G5 M8 C# L" U5 J4 h
Here is a quick description:+ C& J0 ?& H+ w# ?7 Y9 P2 u
-AX = 0910h (Display string in SIce windows)
! |8 }, b2 l- T0 U! H y6 i. z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& C4 x ^6 r7 u. Q! h-AX = 0912h (Get breakpoint infos)
: ?' c1 K7 q; ^- C-AX = 0913h (Set Sice breakpoints)6 `7 f+ @' ?' @' q
-AX = 0914h (Remove SIce breakoints)
& ^" I& V- B: b$ F& s0 r. S4 l6 P0 Z. K
Each time you'll meet this trick, you'll see:
$ x- j/ f: c! _- v-SI = 4647h
L/ ]! O7 p2 {+ g* h# ?-DI = 4A4Dh$ E1 `7 U9 n$ }
Which are the 'magic values' used by SoftIce.
' Z3 B3 B. c" o& _6 y( n& `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: K; F1 C$ x, |7 C4 K/ D4 k: n+ f( C
5 z5 X% X# X( z$ o& ], E5 _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; l6 _; j* {4 R* x* Y8 qEnvelope utility use to protect DOS applications:
, c" V- }& @/ i! \$ k/ B: Y
1 e4 [; X# ]7 k5 \2 n/ ]
: ]% W# ^9 q$ y9 k# ?4C19:0095 MOV AX,0911 ; execute command.
, U6 w' [: ?2 d5 R2 c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 T) n/ e1 |8 K& y
4C19:009A MOV SI,4647 ; 1st magic value., ~! T4 A% U( f1 T' N- n2 r' _
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 p! f# ]+ s) |, @) K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' h- o( A" d' u& Q2 k8 P
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 \% N" ~0 r$ O V4 V/ K( _
4C19:00A4 INC CX
! k: ]7 _4 g. w$ {4 R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: s0 I% ~+ z+ y/ O, N/ T' G2 T4C19:00A8 JB 0095 ; 6 different commands.
* r5 B- |. Z% ^% Q4 g6 G- S4C19:00AA JMP 0002 ; Bad_Guy jmp back.% w4 D2 J1 M% j8 s" D
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# N8 m5 l4 k, w& ?1 I% {9 |- N% j. Y: |3 ]
The program will execute 6 different SIce commands located at ds:dx, which
* R& m9 P a% E& ?: iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
` B+ M) F4 }0 f& Y# P! {
1 j: j& @/ D6 _) k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! C, q4 V2 w/ J# [) D- K___________________________________________________________________________* A# r8 D2 O$ H: e1 x
7 k- J! D8 e) d& v1 _: m) t" S6 a( z* A/ o
Method 03
2 }0 U; N3 U/ i g2 {. a3 }=========, ^% d% ^; ^- U4 M4 e, ?
% p- T1 U7 c: |1 [5 Z3 L* q/ ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 x0 `6 Y( a" M& F$ D' M
(API Get entry point)
) m+ z2 ^, g: h% Q ! \) \% E, j9 @! X: I
% a4 T; C3 N* o! y5 j" g( y
xor di,di3 K0 o2 f8 ?) K+ {0 E3 o
mov es,di
& ~6 I% R' E# _1 A( M- c mov ax, 1684h
/ }0 h: I9 ~9 ` V, m, ~ mov bx, 0202h ; VxD ID of winice% V) a' }+ Y+ y& |
int 2Fh$ ?: k9 i2 C; B$ m( `- x3 Q
mov ax, es ; ES:DI -> VxD API entry point8 X% J9 r! C: A0 Z2 o6 I$ ~& S
add ax, di( Q! f/ @2 U5 W" z, v `
test ax,ax
& d9 H. W1 z% E' Q. W jnz SoftICE_Detected, O, V# R* ^( \* S
I2 l; _, _& J+ x# Z5 N___________________________________________________________________________
0 z" ~: l$ A' d$ j* f' m7 g" T# N% m" Q$ A6 R
Method 04
/ X3 ]( c+ z5 i1 b$ [8 O=========
" a- e3 Q- L- q5 _
; C* i9 }# O& g5 a0 t. @6 c% }2 wMethod identical to the preceding one except that it seeks the ID of SoftICE N5 C6 g4 _) p! L- i: G q, O O
GFX VxD.7 o9 @+ C# y+ d+ |
6 ~1 q3 K! ~2 Y
xor di,di
1 W0 f# u2 \; k" H" {" ^" b mov es,di
7 A0 {: I: T. S mov ax, 1684h 9 G3 L4 D8 c6 q3 p& Q1 v" E1 H; [
mov bx, 7a5Fh ; VxD ID of SIWVID
" R( ]! d# A, l( x0 j: J int 2fh
. g4 J- y: v" M; l; L; P% {, f mov ax, es ; ES:DI -> VxD API entry point3 c; V0 q8 K" h+ r
add ax, di
. x( C7 j1 I, h1 X, b8 ^3 e' b test ax,ax4 p& n1 A3 ]1 j- z$ t+ e2 j
jnz SoftICE_Detected
: f8 D# O/ J, I
; X7 ~8 Q$ h6 X/ m8 z) x__________________________________________________________________________
: ]# ^& L, q8 x e) x7 I: o) _9 h$ d
: k0 w5 q* \- f
Method 051 }# t, \. o4 ?3 f) u! o0 v5 M9 W
=========9 Y8 m* [9 ]' U+ |* M/ B
: H( c% }; G5 L4 p9 a1 ?+ s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ ^4 t8 Q5 U- n! }- f( F9 vdebugger. It calls the int 41h, function 4Fh.% T+ H( {2 E( X, g2 G7 Q
There are several alternatives.
7 Q' W5 E9 K0 U d# Q8 c6 G. Y, m3 T$ v# ]. K2 Y% \$ A2 t( Q
The following one is the simplest:
& T) ~# @8 I& b. k, \: k/ k1 ?
1 G/ h( L# Y! e0 ~' P3 O mov ax,4fh
# y3 E. Y: e2 l/ h8 t# H3 W int 41h
- {& C% O' ~2 `/ i Q* V' l# ` cmp ax, 0F386
$ |' O5 X* b6 r4 [1 X jz SoftICE_detected
7 q- |8 O! s0 m H$ z+ }, B: [2 i" D9 C3 y3 P
9 ]) W d8 s Z" V/ c: eNext method as well as the following one are 2 examples from Stone's
8 P" |7 I; `/ T"stn-wid.zip" (www.cracking.net):4 w7 C- m+ f( D3 Z% b7 y* X+ J
- y, B' [7 ^* Y* o; L$ K: V: I
mov bx, cs" r; X0 n: n- L! g) c" c4 D( T+ [
lea dx, int41handler2! ^$ E" y1 b6 r ^9 u
xchg dx, es:[41h*4]2 N D2 d. Q3 w4 @5 a; g
xchg bx, es:[41h*4+2]
* _6 X- e% I# G2 O mov ax,4fh
" P1 I$ S8 f- L0 } int 41h/ W$ d7 M3 a% `6 q/ L
xchg dx, es:[41h*4]
2 j8 D+ e. N" ]* ]* i) J xchg bx, es:[41h*4+2]
* \- c# E. A& f+ M! G' N- | cmp ax, 0f386h
2 e8 I2 F \. z0 i& {2 Z% @1 n jz SoftICE_detected
Z) Q5 A, K# x/ Y. `1 k1 T% o& |
int41handler2 PROC
5 M0 V5 ~" l3 j* j" D" V iret; p" n3 _# W: H7 D: H: x
int41handler2 ENDP {: W) q# f1 l3 l; F
" M( x% P" ]8 Y8 J( c( L' n" _
1 ] g! Q1 {$ n, m_________________________________________________________________________
" ~2 P, m% `" @3 i. `/ \& t4 T- L" l2 D N" g& N/ S4 l$ b# Z
3 t& D! I7 I- a& h+ W+ m8 ?. VMethod 06- A" e: w2 a; n
=========- |8 d5 Q5 u+ B' w
" ?- @& P* ~" q3 U5 Q. g# t
! r& h1 |9 m; }2nd method similar to the preceding one but more difficult to detect:
8 g E6 \8 H3 H9 b3 R2 M3 Q# ^6 Z4 R' V
6 J; {$ U* `$ p5 H! x
int41handler PROC
- C. \0 a- \0 K& `" o mov cl,al. B2 ?9 b8 f% C
iret
1 |2 q/ t+ h6 p* [1 O8 x% r4 pint41handler ENDP- I7 g8 U2 U2 k
1 o4 `5 M- h8 Z7 I7 v& g! M. o( z+ x2 Q5 Y
xor ax,ax
: Z) J$ M& r) z) I$ r8 h x mov es,ax, I. g Q N7 B" B1 Y
mov bx, cs8 L3 r) X7 j% F( \4 k
lea dx, int41handler
: v4 Y2 o, ^" S* l7 o xchg dx, es:[41h*4]8 K/ P! `8 m% v% m
xchg bx, es:[41h*4+2]) s) q- c+ i6 F
in al, 40h6 [' a* _1 _. f) }6 H$ b
xor cx,cx7 F& }; K4 Z4 H# E0 g; }# W
int 41h
" n( k9 K( v: T xchg dx, es:[41h*4]
3 L+ n" a, d) [3 {) v3 _/ _ xchg bx, es:[41h*4+2]
: ?' ]. x& W. J! u p: N2 N cmp cl,al
. s% Q* ?4 O8 W& F3 a9 L jnz SoftICE_detected1 G" c9 \/ A6 ?- T4 c
& v$ J$ o5 _9 C9 s3 R$ F) A
_________________________________________________________________________
X/ g8 n5 a! r+ g( [# t, c
3 E. R- W. N+ z1 E& Q$ rMethod 073 ]& w& q; v4 v. d6 E) X; h* R/ g
=========9 d5 \# b/ p# G/ t" ]
* r) e9 |$ V" S. n5 j# b- ]Method of detection of the WinICE handler in the int68h (V86)# k/ M6 O, L- |/ E' e9 T
$ k7 H9 g" @$ v n
mov ah,43h
' _& v+ O c, N5 } int 68h
: }9 p* d2 F: @% } cmp ax,0F386h
$ D6 r, b! K2 f jz SoftICE_Detected
8 r, z2 |5 P/ _/ m! a4 y' P( {$ t2 N
A5 ^5 R E, x4 o! W, N; \0 t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ q: T; U/ Q( D* I2 e$ b) m
app like this:
. p5 x4 d/ A! H- o: B$ @9 N7 G1 u5 u% m7 |; C" z
BPX exec_int if ax==684 s7 Y; S) @$ ^7 p
(function called is located at byte ptr [ebp+1Dh] and client eip is
( `; u! O# T6 u9 `& n% o) \6 ? located at [ebp+48h] for 32Bit apps)
: j9 a8 v/ a; P6 v/ D__________________________________________________________________________
2 [3 w) I$ f6 N. M; ?$ \
% |& o: I8 N8 T! ]
' l. d1 S3 r/ I. S, e. d h. xMethod 08
) J' g' v# r( j6 Z=========1 d# ^3 K) c8 D- \6 D' ?4 w$ N( B
7 U3 P) M2 _% R) c6 |It is not a method of detection of SoftICE but a possibility to crash the
$ w5 l( ?4 m- isystem by intercepting int 01h and int 03h and redirecting them to another
+ t$ u! R- a8 I) Jroutine.
6 ~# a, z+ M1 ]9 eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ C7 v9 R) z2 S9 u- Kto the new routine to execute (hangs computer...)4 Y( I/ {( T3 h
* t& J; L* t) B" p9 Q# ]
mov ah, 25h
4 l# n4 H- s* H% u mov al, Int_Number (01h or 03h)$ q9 X: e4 D5 N0 K3 \
mov dx, offset New_Int_Routine
! z5 v6 J1 ^2 ~& V" J int 21h1 A4 H3 T- d# b1 g" T
8 p6 v' Q$ C9 z
__________________________________________________________________________
. L S6 g& h0 }
8 z$ `+ |& F# P1 {1 `2 NMethod 09
- I$ y. k& S) R$ Y$ q1 F/ G+ W=========
# d0 O) N% F- m( K) c6 @
: q7 L- L0 U' n* V% NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 R1 x; n0 Q0 j! Eperformed in ring0 (VxD or a ring3 app using the VxdCall).
. } N0 ^$ ^! C! E9 |# e$ RThe Get_DDB service is used to determine whether or not a VxD is installed( [9 K1 V6 K6 o6 Y4 L4 c- B
for the specified device and returns a Device Description Block (in ecx) for
3 W" Q- Y9 p# ^+ ~* n5 `that device if it is installed. [7 [7 ^: e3 `$ i7 ^- ?# Z
+ U' [* |' O. y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID S1 u1 N$ W& O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& Y5 c* `3 q6 {2 x8 |, L) t VMMCall Get_DDB
6 l: J7 }- [: T N8 x1 ~2 \1 U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ X/ }; x! E" v( p. z6 o
" ]5 h8 `* e3 a# f/ |3 U& ]Note as well that you can easily detect this method with SoftICE:
) @1 i1 F- n' s# {" }. w3 q7 o bpx Get_DDB if ax==0202 || ax==7a5fh
6 ]+ `+ k& g; p" l, H- Q8 R2 S0 W' E3 G4 o& \
__________________________________________________________________________$ x& i. m: e% _4 c8 O
8 ^4 o! t/ Q8 Z' j8 |% L
Method 10
; i! t; ?0 O3 x* c' S4 ~=========
4 Q) l. v s% a0 F. h- Y$ u. w/ ]- j; |6 t& Y+ ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with
( h9 j, U/ K4 M) p6 Y SoftICE while the option is enable!!
5 D7 O4 U6 j+ T1 Z2 u5 B# Y5 }3 f) f8 {& M
This trick is very efficient:
/ e% \# H& T: U" `8 S- g! p' Y+ Gby checking the Debug Registers, you can detect if SoftICE is loaded" J- F* q X$ |: m' t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! e" ]2 P0 h' N& kthere are some memory breakpoints set (dr0 to dr3) simply by reading their- |. V8 S8 a: I0 e' o1 }/ _7 P
value (in ring0 only). Values can be manipulated and or changed as well
8 G+ [: D/ C5 B' v7 e(clearing BPMs for instance)4 D; C# t. b9 W/ g; k9 g' B
2 e; Y# `5 O5 ^7 l! C0 H6 X; c- q+ p
__________________________________________________________________________
X6 U' `6 ]0 Y$ _; a, g9 P0 h: i, }* x {( d1 ?* _4 J
Method 11/ _6 r. m6 h* {; ^: t
=========. i2 L% V/ e5 @8 O C
2 j; O7 y+ u0 s: o- d
This method is most known as 'MeltICE' because it has been freely distributed2 |& F3 P4 D2 q3 L& y0 q* o; t7 H
via www.winfiles.com. However it was first used by NuMega people to allow' X3 ]& [* x' Y1 P- f: ]
Symbol Loader to check if SoftICE was active or not (the code is located
# ^. n. h8 Z7 k6 g) R. Linside nmtrans.dll).
! P: @ n, ], [3 o: f6 n7 T' t. P" v3 o5 N5 N0 T9 ^4 u/ e
The way it works is very simple:9 {" L" \* Z- O v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 S. {" e4 C8 W: M$ ]) S2 IWinNT) with the CreateFileA API.
# e2 K+ a* q. ^3 a' l: e0 c0 i3 R7 o. Z1 k
Here is a sample (checking for 'SICE'):
* o0 A$ M# y5 A% H& v
# f9 |- i' T$ Q4 {' bBOOL IsSoftIce95Loaded()$ w2 Y g' _8 v* h N6 ^
{
7 c: Y, E: g* `. f HANDLE hFile;
# O$ }: X, N) \+ c% H1 c0 r, C% x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; H) Q C( K$ R$ c' l
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 g* K. l' B! ?2 H& t( |# P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% \, x$ h- [5 p" h9 S( C5 U ^; { if( hFile != INVALID_HANDLE_VALUE )6 L4 A. p2 |; X4 f& G( f7 }
{
" h5 [. L) z8 @0 ? h CloseHandle(hFile);) N3 N( z1 ~* q" }& i9 X
return TRUE;
6 u9 m, P! [$ U U3 W/ ? }9 w }# z) g O# e/ H. [
return FALSE;
- i4 v5 D" h9 I$ ^; t# \}0 y. n" }# ` L' \/ J
$ ?( `& `& R7 H( [/ ~6 Y
Although this trick calls the CreateFileA function, don't even expect to be
, H7 t5 j$ U; n% qable to intercept it by installing a IFS hook: it will not work, no way!8 E. c9 t9 L Z% o( o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! i8 E) U; I6 l7 q- L! E4 lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 X- d( y, i, \' E' ^4 @. Land then browse the DDB list until it find the VxD and its DDB_Control_Proc
( ^& {6 F/ g* Y0 n) E3 H6 cfield.# d5 U+ m9 T% U& f3 T* ]
In fact, its purpose is not to load/unload VxDs but only to send a
" k U/ [9 c9 s8 G ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
U" T( x+ p* X8 ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try% e) n+ A: N/ H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 H$ o b8 |5 w7 C% P- ]' cIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 q: ]& B: \% u+ P wits handle to be opened and then, will be detected.
9 K$ [" D% ^% Y# d/ ZYou can check that simply by hooking Winice.exe control proc entry point) Y4 W. i( e# A- O9 _
while running MeltICE.+ L/ b0 g3 `6 A! c0 {8 Y& p) _; Z
" ^) E8 l2 b$ l2 B9 U
5 {5 l7 {! o9 d5 r, O 00401067: push 00402025 ; \\.\SICE5 J( k* j v9 M! y
0040106C: call CreateFileA* C7 L) Y% G9 u
00401071: cmp eax,-001
, m/ d! m/ @* ?# ~9 \7 X- ^ 00401074: je 00401091; p# G4 S- s& z4 B
+ X; W( d- Z8 d0 `4 b# U$ ?7 U3 m$ c
There could be hundreds of BPX you could use to detect this trick.
0 {3 |7 a: u" `-The most classical one is:
" R" g* U/ n) `; G# r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; @6 V# H" j6 k& P5 b *(esp->4+4)=='NTIC'- x6 E7 P$ {" I
! S1 k5 I5 r5 O! M3 C-The most exotic ones (could be very slooooow :-(
, A" c% v! A' R% e/ ^+ g7 o) J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) u1 q: s3 g5 \7 `8 [$ _ F/ b ;will break 3 times :-(
5 j0 Q) R4 B7 |
# C" G; G, ~# f: x+ j8 e$ W/ L-or (a bit) faster:
0 b' ~- u7 M5 c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ p! @, Q( r5 X* D o# l
' H4 G) T9 L% j ?( [/ V5 \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ X. i9 s" I5 f' |& ]/ C$ {3 q ;will break 3 times :-(. m4 F# S' B: C' C& m( H4 u8 D# b
: q/ h+ n& v- q* H, F! l3 y
-Much faster:
7 T! l. x4 g h8 l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 r2 u: c4 ?9 r9 c
/ [; ~1 q2 w8 t& [0 X* n1 @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( f+ r# U+ B4 }! F, U5 |
function to do the same job:
: h$ `2 u2 O p) Z" ~0 r# o
, _" s- E5 W$ m0 s0 u. f2 F push 00 ; OF_READ% @- |3 g7 B' R9 V/ w( i
mov eax,[00656634] ; '\\.\SICE',07 ]+ I9 K/ z3 v, ~
push eax
4 O4 e. p. d/ ~ call KERNEL32!_lopen1 T0 a" q" L! q! j
inc eax0 I+ W4 g7 ?" G1 D- _4 s! [+ w
jnz 00650589 ; detected
$ B4 M4 h% f$ n, o' F7 I push 00 ; OF_READ; L2 S9 f; [. _8 I, I1 @
mov eax,[00656638] ; '\\.\SICE'' s! F8 G! f& v5 a# O+ \. j0 T9 @& D
push eax
4 X( ?( g b& a7 S8 l. } call KERNEL32!_lopen
" W- T% o' g7 o( I inc eax4 ?6 y4 G' q, W, Q& k
jz 006505ae ; not detected
! o5 i9 ?0 z/ G L* g2 u
, f9 f9 G3 A2 t. t r) i0 E$ t" _; c9 z& B! @" V; L
__________________________________________________________________________
5 G$ B5 y" R# L* K% b
4 E# G$ t, U' U! J( g8 cMethod 128 ~# X: k% \+ t9 [
=========
- k; b" {! ?# X( t0 E7 i# I+ X# `: L, {& g6 r5 i- q$ X* Q9 {
This trick is similar to int41h/4fh Debugger installation check (code 058 \; [& g; |. \0 n
& 06) but very limited because it's only available for Win95/98 (not NT)
4 [4 O- S& \6 N kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 M7 C: Y! V# ^0 X8 V, z
4 u8 _( ~/ |( _" f8 u
push 0000004fh ; function 4fh
3 k0 M* g+ @& `: m; C6 W; d push 002a002ah ; high word specifies which VxD (VWIN32)
% ^( u4 a9 e) \- w ; low word specifies which service4 I) Z* o$ P) x) L# y
(VWIN32_Int41Dispatch)
" p7 H+ k: b8 C call Kernel32!ORD_001 ; VxdCall
1 H7 _; z& M' N% C" \& Y2 o0 M cmp ax, 0f386h ; magic number returned by system debuggers
: O% D% c. v/ o) a" H K# i7 r) w jz SoftICE_detected
; \* e( M7 _* I* K( g# I5 E7 Q6 d: H3 [
Here again, several ways to detect it:5 k, r& U W( t. S5 r
, F( m9 b0 Y+ b: |
BPINT 41 if ax==4f- o# L- O- r9 o5 c+ s" R# ?
" f" _1 d u" N' ]7 ]5 i* q' x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ C$ x- ^7 j) b3 j
7 r. w0 i9 _4 `+ W3 Q/ O* s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% ~/ N: j, [4 K6 Z5 e- q j1 T% w; `& J+ G$ C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( f6 F# c7 H2 l9 t. v+ J/ A
1 @4 \, i. `/ H- w
__________________________________________________________________________
# l( g& J0 S# V( o9 F( }) ]% C& y* z5 p" e1 r. J# O, _' C
Method 13# |: b: P, D, x4 R; f! Q
=========
( Z. k' K c/ f5 d# @1 J1 s6 \9 R' y! K$ }3 H
Not a real method of detection, but a good way to know if SoftICE is
' z+ N% H: f' `: }installed on a computer and to locate its installation directory.
. e! k6 X! n2 \! E0 ~It is used by few softs which access the following registry keys (usually #2) :5 x7 |& u! R0 ?1 {0 v
( u0 I3 v- g, A; K9 \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' e F7 B- |* s' c! A1 M
\Uninstall\SoftICE* P8 k2 z- _5 `5 K, l2 z& S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! _5 w$ W: ]/ C0 y W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 o1 o+ O$ B m& ]3 X\App Paths\Loader32.Exe8 c# |2 j: W$ g$ H7 r
$ v+ Q f: G2 f7 N( U: J: x8 l0 q
Note that some nasty apps could then erase all files from SoftICE directory
3 W/ L- w. x0 p( U(I faced that once :-(4 W% O5 v1 u) z8 n. U6 I8 H# v6 y
) J) Q1 A, }. k1 J8 k4 H1 fUseful breakpoint to detect it:
9 ?) g R5 }( ~0 r% I3 g
B; N6 p; N+ ~ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ H+ Q) E6 t$ I
5 N: V6 R9 O, ] J8 D% S__________________________________________________________________________
& H5 M" N9 t2 K2 |% j1 |% A9 a2 e/ _: E: x+ D: L4 h: ?2 b; S
4 q8 B# P! U4 |' o1 KMethod 14
: G# x. [+ v$ @: w4 `1 q=========
# U" F/ g. i' h) K3 x
8 h4 x8 x- G- r. G h& ^: LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# ~( G7 o. S" l0 _! w1 bis to determines whether a debugger is running on your system (ring0 only).5 a/ C4 |/ u# e) A+ m# P
) ?* n3 \- l- ^ VMMCall Test_Debug_Installed4 q# S4 H. o# `3 j) ~+ k! U2 E
je not_installed
6 c1 n$ l3 E* E2 q) G
/ i& u2 s/ b, b8 E- SThis service just checks a flag./ ^; ^6 l8 f5 S5 h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡