<TABLE width=500>
: J" W! T E1 {9 D4 F<TBODY>% @& b. x- p4 b( V( R ~
<TR>. \$ S+ Q- g/ b3 K$ n# A3 X) D/ G
<TD><PRE>Method 01
" Y3 `1 e1 r5 [=========
$ H" T* a* T# }% H2 i |: V
$ C9 M q6 k) P" RThis method of detection of SoftICE (as well as the following one) is4 V3 h! U3 |0 o( i
used by the majority of packers/encryptors found on Internet.2 H# u% _# V8 V- A0 ~/ Q
It seeks the signature of BoundsChecker in SoftICE4 u& O; O$ A& W2 |* \! n% L9 Y
( x- H& d0 E. N. D# p3 {; ~
mov ebp, 04243484Bh ; 'BCHK'
7 Z* E9 L; B' I0 s/ ~6 l mov ax, 04h
" x: d! t4 o3 b9 T! { int 3 % b5 m! q' }: A
cmp al,4( ~* `5 k; L! ^9 X- g( n
jnz SoftICE_Detected
; g! s, {- S8 S- J$ ^/ d% W% F7 I
5 U" I( T2 D7 c, V___________________________________________________________________________
7 Z: H. f( N0 T& U! V, t4 j- G
! w& c; p0 [4 xMethod 02
1 C `! A+ s; x; R- _% P9 S7 c=========
: U5 C0 W5 R% R: A6 y6 W( T7 d+ y) v0 u) I: P( Z5 E" a# t4 L$ G: K
Still a method very much used (perhaps the most frequent one). It is used
! L# B9 w9 s" _7 ?1 K" W" |$ Z4 z. Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- @8 G' L+ Z+ V
or execute SoftICE commands...
2 f6 f, `6 n% ^3 o* Z" W4 x1 S$ IIt is also used to crash SoftICE and to force it to execute any commands( K( a0 p" Z. g& V( f" t
(HBOOT...) :-((
, \) T+ b. M( f2 n2 d3 k+ Y7 b! e# ]( z) A( h M
Here is a quick description:& f: w9 A z, X" g9 r% d
-AX = 0910h (Display string in SIce windows)3 ~ ] j1 `- p& b$ ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 q7 }$ |" I2 [& T: w-AX = 0912h (Get breakpoint infos)
' ?: U, D L! b/ g& w-AX = 0913h (Set Sice breakpoints)
" `( T0 L1 Y, K4 J7 n' j-AX = 0914h (Remove SIce breakoints) l6 b% H ?7 u2 f
$ Y4 `7 {3 \9 t0 J; }9 B5 A# nEach time you'll meet this trick, you'll see:. i1 V( H2 A5 `
-SI = 4647h$ {# t% i; Y9 o. M2 e: {9 L
-DI = 4A4Dh
" a( H: b3 N6 K; x4 i7 P# `) dWhich are the 'magic values' used by SoftIce.
i: ?* C3 `7 e8 E9 FFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. {7 A. z8 p1 e2 Y3 n
& ^4 n. ^' C$ d5 r& P) Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 ^8 C) _0 Z2 i6 |9 B
Envelope utility use to protect DOS applications:+ L( U" \# n7 ]2 m- [+ E# o& e
3 l* c* }* O* f/ S
/ R& x+ e# Q/ d4 b6 p4C19:0095 MOV AX,0911 ; execute command.7 r9 D# H3 W0 R2 P( T5 x+ F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 d m( R3 S4 N4C19:009A MOV SI,4647 ; 1st magic value.
( S+ c2 V& W* Q% W- o @4C19:009D MOV DI,4A4D ; 2nd magic value., e! J# }) b5 O7 Q7 o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 M6 V' o! ^! |) [7 L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 d1 E6 [, h8 E8 {4C19:00A4 INC CX9 Z$ d% \6 L, i4 [# h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, R$ o, z, A+ x5 f P
4C19:00A8 JB 0095 ; 6 different commands.
. F" J+ M9 y) p. j' ?4 o4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ a/ e5 ^& L' G- g7 {4 G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( ~6 t' D1 o) T! C/ u: M
7 J9 R1 r, m, x( N+ FThe program will execute 6 different SIce commands located at ds:dx, which' B4 M+ B# o9 ]7 p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& ?0 R, b- c& p! Z: H; f2 H$ q
1 ?* l7 O/ G# r1 e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 ~- q( ^5 q3 B7 D; f, L
___________________________________________________________________________! X1 _0 l& C3 R3 g1 d* T
+ k6 z3 y" M$ |6 ]1 C' m$ S9 w6 n; c
Method 039 ~% Y, R' i/ y
=========, h! a9 E& p- \3 D0 W$ S# x
& x% b% q" e0 O; `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" X/ O2 T; W' ~: c. r& f+ h4 O(API Get entry point)
0 @. _' {2 O- A3 w6 Q" E 0 ~8 u' @' N+ ^! R
" Z$ l7 v' P8 k2 _ xor di,di( n! w" G6 M, {: S) ~/ K. e& U6 f
mov es,di5 X: B% Y# e: m1 k
mov ax, 1684h
4 Z; g- p+ |3 S' B* C mov bx, 0202h ; VxD ID of winice6 f; ?' Y0 o, I g8 ]4 y( F, i
int 2Fh5 a# k8 F* v* g" z, [1 K
mov ax, es ; ES:DI -> VxD API entry point
, Y0 e2 g) v. K; C9 i9 y add ax, di; U9 o1 G- H' @# ?2 J" L
test ax,ax w$ N w. S4 a3 B/ N" ^
jnz SoftICE_Detected
# {; L. d) M+ s z W w0 O% _. X% h. {2 s b' F
___________________________________________________________________________
4 }% c, }" Y$ F2 F/ f) i" }; B/ e6 k" Y4 i4 H0 p' \0 M9 q
Method 04
- ^+ I \, Y( _1 j/ s=========
9 u% M: [: G: c. h9 n! ^
2 z, e6 f4 M; W% rMethod identical to the preceding one except that it seeks the ID of SoftICE
( K* z0 m1 c5 [; T6 p8 ~GFX VxD.' E) Y2 ^1 y( P: \% D
: @2 _; v9 v( I1 z" K
xor di,di
. j, y# U+ v7 u& V& I9 {% d* M, n% V mov es,di
/ k) X0 ^5 f0 }+ G mov ax, 1684h
; Y& h: m# `) h. r- g' R% ? mov bx, 7a5Fh ; VxD ID of SIWVID
% s5 \, Y+ G% [& \5 c* }* o3 P int 2fh6 z, L5 T+ r/ W8 ?& L7 w9 V
mov ax, es ; ES:DI -> VxD API entry point
4 T! m0 @$ v7 m; E2 d add ax, di1 A: H$ k( @7 L% G0 x2 A# V, q6 ~6 ?
test ax,ax
) y# U+ J3 t% K* N% Y8 G; B1 }* f jnz SoftICE_Detected3 `* H \6 Z7 [* T7 G7 t
. u$ g4 H5 p3 J% t% K
__________________________________________________________________________
b: g* y" y" P* H1 G" q; y
- l9 | @! O# k+ \1 j ~/ y! B9 |& Q! p0 z' \+ F4 K2 y& S5 E8 _& D
Method 05$ {1 c4 `) k9 r
=========
& k' \% h( z- H% ], D$ J4 z5 [" R4 r- }; z/ w) X; o% [
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ k+ E% }4 Q, a. R5 Ddebugger. It calls the int 41h, function 4Fh.6 V. @2 ~ |. G3 m
There are several alternatives. ! @$ _6 n1 Y! P& T! K) P8 B& ?
1 @4 J- C9 Q$ j0 n) E" Y2 UThe following one is the simplest:, e3 p0 E }4 z
1 F% r+ n; ~5 p3 P1 s$ U% _
mov ax,4fh
: ?0 `" L- {( g! y3 z int 41h
6 X; d' m* m6 m! E Z cmp ax, 0F3860 H1 U, N; e6 r1 q$ H: U1 K
jz SoftICE_detected
! s" [! ~" b$ f! m& {
* o7 v0 i* F) ^2 s: d9 v7 i9 I" m4 q5 Z9 {' z% M% O# o0 q( c8 O
Next method as well as the following one are 2 examples from Stone's 5 n9 l" V2 b+ ~: y
"stn-wid.zip" (www.cracking.net):$ r- N" g/ v, ?* W7 L) L: Q
5 S! a2 {* ~ a! R& Z" [8 N F
mov bx, cs/ h6 u5 @; w$ i, ^: e
lea dx, int41handler2- x/ l* P L) P7 F+ S
xchg dx, es:[41h*4]
; J/ R6 e+ G H& E! l, U xchg bx, es:[41h*4+2]* v7 @$ @. {8 n1 R/ y1 _2 H
mov ax,4fh# b1 a0 ~0 y' Y M: A& T- C
int 41h- K, r: G) v+ v V) M) A1 x/ I
xchg dx, es:[41h*4]
+ n* }6 f# \$ ~ xchg bx, es:[41h*4+2]( w. T" J8 }* y8 h$ h0 T
cmp ax, 0f386h, C: k% T. P$ p# G" S& @) X
jz SoftICE_detected
+ h6 p; g2 D$ @) F% y* v' I$ j4 K/ F' w5 q! i
int41handler2 PROC1 e: H# ~) M D
iret
; p7 W' V% k& V: M+ X% uint41handler2 ENDP" x3 B0 M$ l1 B7 N: n, k) ]
* X- O' m5 j; H! t" I( E" g! n0 v4 Y2 H: k
_________________________________________________________________________
- q! b/ o" ?* V1 P( D# x" K# ^1 v' t9 i0 v- ?+ V& P9 w
1 d6 H* `6 h9 v, u& g0 {9 ]0 N4 hMethod 06
6 G% x, P% h# a& x5 G3 r% u3 M+ i) n=========( z1 P* m: k) V- y
* E: }- I8 b! E7 ^) ?6 L
, v9 H0 y! {0 K1 @$ L5 }2nd method similar to the preceding one but more difficult to detect:
" l9 Z( Q$ A' R3 w# }# g! P
6 x1 i0 f! O: r! Q, M& h) J
1 g+ ~% s K4 L5 F) Fint41handler PROC
$ @% \ y w# |" E" P mov cl,al
- G2 @* {/ C- I$ z( X2 f+ ] iret; y t8 u3 Y y" W9 c6 m4 r
int41handler ENDP$ x: A6 {# ^3 u
& R0 I0 m& }" X7 V
V) B8 ?* o% X/ M xor ax,ax. o5 A" B0 ?8 H) m( N
mov es,ax# B1 ?. r) S" Z& z6 O! n4 ]6 R9 d; t! B
mov bx, cs
( _# p: g6 X5 i6 V$ y lea dx, int41handler
' y; C5 p w3 @) \2 h xchg dx, es:[41h*4]
; U& N+ f- B( ], G, z+ u xchg bx, es:[41h*4+2]5 }( e' |1 K5 a/ I& j6 M- F% v
in al, 40h& z, Q& y G/ | v2 P
xor cx,cx3 w x! ^- K I I% o
int 41h
' Z: O# x$ v$ X/ C) Z xchg dx, es:[41h*4]2 ] \1 D5 C+ l4 Z% e
xchg bx, es:[41h*4+2]9 P" g+ y) k( g( ^9 [# B& z
cmp cl,al4 b& D" B a4 O
jnz SoftICE_detected8 V p5 S4 e3 Q; q' a. F
3 J/ Y) H+ v( n5 @( J_________________________________________________________________________6 R% O# ^, N- t" f. z9 i" x
+ ~, D4 M2 j2 q7 L6 H- }# LMethod 072 A) U# ]1 |$ H* F1 u8 K7 o
=========
. t/ E l! H& m2 p, P" d- Q- U$ W$ ?8 B3 p
Method of detection of the WinICE handler in the int68h (V86): G$ B# A! M) e5 S+ v
9 [- [0 F% v: \7 _& [
mov ah,43h8 e( S' f: l+ J
int 68h
8 D0 T! H/ J# g/ x* b. o cmp ax,0F386h
7 m* K( E" ]6 B jz SoftICE_Detected
. m4 N% `1 ]3 x
. J$ x" W6 a8 O) {9 _! ~5 {
9 P8 ]" I5 i# C) b. j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: R, G$ v# P; v8 A& p4 ^' l
app like this:4 F" Y' O3 E. A
! U/ ?0 W* L5 G- h. c BPX exec_int if ax==686 [% t: ]$ I; m
(function called is located at byte ptr [ebp+1Dh] and client eip is
, k; q1 P1 { d+ o located at [ebp+48h] for 32Bit apps)& K3 N! C, Z0 n: a" T- h0 Y
__________________________________________________________________________9 M9 x' K- m$ ^+ X; m
6 L! c+ T/ Z& A3 w# ?. C
4 u' h9 Y. h! e( x) V% Y8 D! a$ yMethod 08/ m3 F' s2 W6 k: o# F& q. |- {
=========: N# ?* C' c6 q+ T `8 k- _# R4 v
! ^! {( w- P4 O. C5 X: C. k
It is not a method of detection of SoftICE but a possibility to crash the
: J9 G- E9 d* H# {2 lsystem by intercepting int 01h and int 03h and redirecting them to another
4 l6 w J5 w. d, t+ X4 k7 n8 Xroutine.
2 ~8 I+ d$ {: ~5 }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 {% _; t' f, L3 @1 V: Y; W% rto the new routine to execute (hangs computer...) a5 B: I! R8 ~0 r0 U
: Z$ u$ o$ Z% f; |9 |
mov ah, 25h
. P. E" K1 V4 | mov al, Int_Number (01h or 03h)- Y$ j# b6 S# E) ^% X
mov dx, offset New_Int_Routine
m& H5 m# z- B5 N3 {( s( M! ^% h- M int 21h9 q2 D& k( I7 o, Y- @; r8 e
s" x, v6 z. s& M2 w__________________________________________________________________________4 {% Y3 {0 O+ }: u6 i( | i4 U) `( U
8 p) s; k8 e8 `% s2 B' t3 dMethod 09
3 e6 A1 |+ P6 T$ O' ~=========
! ?" x" F1 R! i7 {+ q$ {/ D5 `) n) ?& t. Q. X# r+ z) j" P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 G* p) m$ N9 ^% [( Q# |
performed in ring0 (VxD or a ring3 app using the VxdCall).; m1 R7 C3 }8 F( @6 Z
The Get_DDB service is used to determine whether or not a VxD is installed, m# c, a# d9 x, ^) M
for the specified device and returns a Device Description Block (in ecx) for% v8 K0 w$ i; }4 c1 ~1 P
that device if it is installed.3 d- U7 l) x% ?& n$ S
+ i h: R- R3 A0 t" w) b; d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ G5 N7 E+ y C, j5 \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& \4 W0 \( s3 B$ Z* ]0 h
VMMCall Get_DDB
8 `4 C0 H$ z, `9 U( S: w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. Q6 j9 {3 Z8 H& `% p9 ]: s: c6 Z0 _$ K% W! w+ D2 D
Note as well that you can easily detect this method with SoftICE:2 n2 ~$ K# G2 w k' _; `. s& C
bpx Get_DDB if ax==0202 || ax==7a5fh
: e7 x. J' y. V- z6 A J* P0 [4 `7 u1 s( o$ p& t8 L N
__________________________________________________________________________2 r) g9 S4 S, D2 D
, J9 B- g' e* L& IMethod 10
2 V+ S" `. @7 y2 `' a- o=========3 j3 ~. I9 R8 O% o3 D; w5 h
2 |) F1 n5 \# W( E3 ~# T1 s2 l
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ j6 B% [. [3 C
SoftICE while the option is enable!!. k U! b9 G9 N) q7 M, K
& u S$ `" y" z; z
This trick is very efficient:
- A; K0 z4 h* B# i3 Bby checking the Debug Registers, you can detect if SoftICE is loaded
( G7 D) y% i% K' @% u/ u3 X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 Q8 c- h5 z: Z* \3 Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ u1 ?* a% \$ x5 Zvalue (in ring0 only). Values can be manipulated and or changed as well
5 G! R& O# O1 a. C4 ]6 z! V0 N(clearing BPMs for instance)
$ @& y7 S% p- H C
j4 S! U+ g! e0 q__________________________________________________________________________
6 l; m5 P! I( @: \" Q, ^4 X: X2 x$ ^
Method 11
8 N/ u5 M: k. Z0 Z) z3 W6 M=========
0 y& A% H7 y6 t/ H6 B
. v3 E; y( A& r8 C& A4 Z' }9 Q$ H! xThis method is most known as 'MeltICE' because it has been freely distributed
0 U9 ^' @, c: vvia www.winfiles.com. However it was first used by NuMega people to allow
) v, q/ _3 s0 Z& E( Q. q# c- _Symbol Loader to check if SoftICE was active or not (the code is located/ m2 P0 U8 w. p$ ^
inside nmtrans.dll). B+ x4 {3 o2 d7 j& W
! R& l$ M8 K2 `9 P" @6 Z/ \The way it works is very simple:
, S& A0 ]/ n4 |- Q* p6 PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 S8 i, o9 r( z0 P M4 l- R
WinNT) with the CreateFileA API. N; Y5 A p' K
! y( X+ D) A7 U& J9 R1 V# `3 p
Here is a sample (checking for 'SICE'):9 }$ _5 n. a \' M/ M# m
9 k: t$ k" r, b$ O
BOOL IsSoftIce95Loaded(); r: D: a$ q' |
{ G6 @$ a8 m: Z8 |( q2 }
HANDLE hFile; # Y: b- X* l6 q) A% ~
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 V, r1 g! [) r: q% a- [! @" }* t
FILE_SHARE_READ | FILE_SHARE_WRITE,
. Z9 ]& t/ m8 P4 I0 o* Z$ | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 k6 q" n+ P0 v7 }: J6 k if( hFile != INVALID_HANDLE_VALUE )5 q3 q' @( t: @$ R- {& p
{4 Q8 Q' m1 T% |% N; g0 N5 h
CloseHandle(hFile);
0 r c5 z) C2 z+ {+ Y return TRUE;- S8 n! T1 ]- L- G T
}; |* |( @# i% z0 G2 P
return FALSE;. q. C# r* t/ z. R
}
3 p$ E* V5 q5 q' o) o/ `) R S
7 R, [ A3 R$ g8 V# p& q# k9 hAlthough this trick calls the CreateFileA function, don't even expect to be
* Y: l+ i* t% {0 I3 nable to intercept it by installing a IFS hook: it will not work, no way!
/ U! ~; @" |3 j" w' E7 T1 jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 W8 a6 a+ K; S0 _& l$ |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* \2 ?# v4 [/ t7 R* |1 \and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( }) S' ?; y. d8 R/ l hfield.8 W& Q4 Z4 H, j# g4 O# M3 K
In fact, its purpose is not to load/unload VxDs but only to send a
8 F [3 A4 [* R3 k' sW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 p ]$ G1 e% q* s9 d/ Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 p4 p; K8 q6 `( k- Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 T% {' L0 E9 p% H2 LIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: w L) C4 f9 bits handle to be opened and then, will be detected.
% F( X* M( K* j3 i nYou can check that simply by hooking Winice.exe control proc entry point3 `2 X e7 V$ s
while running MeltICE.8 l1 g% W) t \. U; R% ?
{# ^8 K$ ~/ H6 n p9 F
" |6 \' D. h0 [. F$ ^4 \& o 00401067: push 00402025 ; \\.\SICE5 g. V. b( b/ d" Q: O& R3 Q
0040106C: call CreateFileA
6 x% a" l' M; N3 A1 @# E 00401071: cmp eax,-0010 S0 E! z5 K! f0 o1 k3 l, J- _9 }5 I
00401074: je 00401091
; v2 [* Q+ d* m8 Y
" }0 ~) C* o8 f6 u: Y, J- L
' V3 {7 F2 g; C7 P) ^) P" X/ ZThere could be hundreds of BPX you could use to detect this trick.
4 f% G) a1 ~1 Z. t l* W+ N5 P-The most classical one is:
6 h! w: O; V) s$ O- V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# @3 D* `4 I3 P9 F& _ *(esp->4+4)=='NTIC'/ d" [! z# E! x- P. X0 b, h( M
% Y* b0 S% O7 |; z
-The most exotic ones (could be very slooooow :-(
6 l3 W5 E7 Q6 ^/ ]% i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 P j1 u/ e6 B3 t; k
;will break 3 times :-( o5 }6 `" n) c2 g r/ t
& u: N4 g% s- p' U/ F
-or (a bit) faster: # G) [# R( t8 r& g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 S0 j: J P: ^: \3 @4 H5 M3 r( X+ y& {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 ?$ |% J/ G* @2 B7 x
;will break 3 times :-(
% O% L/ B9 y% `, `( s7 a/ w
+ O& W* L0 S6 N4 V: G-Much faster:
1 w; u5 t, P: {( E7 j, j- M5 | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 I4 Q/ f0 Y' e3 K, _! P8 l5 `
7 U3 x I- ]: }: l( M5 {Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: m& E. d2 a5 X* J8 Y
function to do the same job:
; K4 w: e6 _1 L& L, r: g) N- [9 I* V
: Y$ f* H, w# M push 00 ; OF_READ' n$ p3 t! o! u4 A- T0 @. j
mov eax,[00656634] ; '\\.\SICE',0) r3 b+ }1 H9 q$ M4 c @' T
push eax
5 q- h- E: r' J" p/ _" e- O. ` call KERNEL32!_lopen
) ~! ]8 `) B' c5 _3 X6 F inc eax
' J2 U. P$ H+ M; O jnz 00650589 ; detected# @/ s0 r9 g- r1 H" K
push 00 ; OF_READ. b; R8 a, X' f3 S6 M' [
mov eax,[00656638] ; '\\.\SICE'! P% z* G5 e- x/ {" w8 M
push eax
1 x" B8 k/ }% [ call KERNEL32!_lopen5 b& w) l& y2 c
inc eax
3 u& l* v* }0 k. y j, f- o# C jz 006505ae ; not detected2 Y( y H6 T* Y7 |: z+ G2 z
0 }# c- P( U2 J3 J* `) S0 u3 V+ L
__________________________________________________________________________
1 C8 J0 S9 k! N% f! B2 }
% l- W0 v/ {$ I! }2 ^Method 12
i" {% z& y2 P5 @0 j, h=========
+ d; U! s7 M: Q9 j; F" b6 B
' o. D" `* e1 W6 U- zThis trick is similar to int41h/4fh Debugger installation check (code 05
* P. i# `7 ?6 k: x& 06) but very limited because it's only available for Win95/98 (not NT). B& _+ N: U' }5 w1 A: o0 m) p* Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% Y( L- Y. ?1 e. k H" `
* Z+ U4 O* ^# k: C( d, q; B1 B push 0000004fh ; function 4fh2 q+ b/ {$ O1 b/ h9 `. I* h
push 002a002ah ; high word specifies which VxD (VWIN32)" q* V3 V' D2 w6 |" |
; low word specifies which service. M4 F7 G9 A1 K) `" v
(VWIN32_Int41Dispatch)
3 `5 U& r9 G( V- y. F p call Kernel32!ORD_001 ; VxdCall
# X& e: r; m$ v" | cmp ax, 0f386h ; magic number returned by system debuggers
+ g/ u0 Y0 [3 ? e% Q- P jz SoftICE_detected
% d1 v9 h( v* ]5 a* x9 i1 O. z6 v. J8 U6 B; o
Here again, several ways to detect it:+ g' `. s. }! W+ h2 k, }
; M/ b# l# b+ }8 g) O
BPINT 41 if ax==4f- ?9 a2 H3 U" O( w0 I. _) {1 ^
' P7 F" M$ I& D7 r
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 q1 \3 f% |$ ]* b, }9 G8 m& r R
5 r: h. e2 q' `$ ^# r6 y$ V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 u) X1 m# A8 N1 H" E
6 M8 M: [; C7 Q0 q2 x% M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. u; Q& o; e2 |" `# t% h; D; |
, B4 n8 {$ Q `4 N3 T0 \) V__________________________________________________________________________
8 q m" D3 B% L$ ^0 A. |, p
! d7 {* o! G" T+ {Method 13
- d' V2 D6 E* o/ I=========
4 O: l9 n5 O4 B" R$ g q' M. G& G- A0 ^" @+ B; o2 m: d! q) ]: a7 D
Not a real method of detection, but a good way to know if SoftICE is
4 E8 E3 G# \5 ?! Dinstalled on a computer and to locate its installation directory.6 H2 S( Z% N& P: y: H' j6 {3 f
It is used by few softs which access the following registry keys (usually #2) : v7 Q3 f: G" L* w; n7 t
8 b7 G! f9 f2 d. |( Q9 B+ b. L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% x0 {$ R- K1 G- j3 Y\Uninstall\SoftICE
+ v' R1 {4 d0 ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" L3 V2 b2 B, [) H, U9 R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ ]7 B* ?" w2 n6 q; K
\App Paths\Loader32.Exe
2 u/ p4 N- R, G( ]- D G# E" w2 Q, f
5 p& k% X+ n# [" }7 [5 U! H
Note that some nasty apps could then erase all files from SoftICE directory- h6 Q% p6 e. m5 ^& o
(I faced that once :-(5 o8 {& C2 q0 N8 a0 J. a2 g B
3 a3 p6 o* f9 ^, R# E$ oUseful breakpoint to detect it:
/ b2 b! |$ j. [$ E
" }, L( W) C! _ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& E0 |1 b: {# [. `# s0 s/ F: b
6 N0 W& ], ?. x C4 P$ ]8 m) p__________________________________________________________________________
& @% y/ M3 T: f! ]% }7 j. ^4 n7 P, ~8 Q: f/ l0 k5 Y0 F
( P M% L7 k' P# B5 v% l' xMethod 14
. y! h* {9 q$ I' I- r=========8 @# ?7 ^0 N3 h8 Y- J
; H* _- o* O3 a6 G( L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ k3 n2 f6 q" Q, l" b$ C% s# ~ a# J, jis to determines whether a debugger is running on your system (ring0 only).; h7 i3 R k6 o, ^
' z+ u! y1 D" V9 ~ VMMCall Test_Debug_Installed
, Y" A$ P7 @" e6 U! \# R- r& l je not_installed1 h( N; O, z; U% N( ] r
: N# g; t, O# ]# u7 M9 y
This service just checks a flag., C1 U @$ c5 r9 P5 N$ B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡