<TABLE width=500>% D; ^& O7 y4 A2 E! k
<TBODY>
! t& d+ M" Z0 _( u) c<TR>
# ~3 Q; M& R" J! ?% W<TD><PRE>Method 01 ! n1 j* W4 ]: X
=========/ [/ R \. E$ O; \
0 D. i0 s) P( g5 lThis method of detection of SoftICE (as well as the following one) is
9 q1 w% J W7 m# p% z5 lused by the majority of packers/encryptors found on Internet.1 V: l/ R! }5 T7 y+ B
It seeks the signature of BoundsChecker in SoftICE
, a3 D8 j# F t8 ]1 \9 H
3 j& a, f \0 e G; g; M, r% X mov ebp, 04243484Bh ; 'BCHK' x5 t4 y; p# O Y
mov ax, 04h
$ N' d3 @5 r7 R: ?2 E int 3 ! n: |+ _/ [" b3 \
cmp al,4 m: F) o8 \/ u% a- n" h
jnz SoftICE_Detected3 L/ I9 ], v/ _9 n9 O# o3 g4 q
/ f3 R6 h: }: l9 m___________________________________________________________________________: Y+ D* n5 P2 F Z
w0 g9 ]- N3 g2 f! u
Method 02
4 K* {4 s8 g! s* ^=========
# g% U- y& C7 {6 K
4 D0 m. _& e2 o/ `6 z& D' ^Still a method very much used (perhaps the most frequent one). It is used
; q& {* q5 j W. V6 x |) Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 s2 H# h6 K4 E1 b: Z4 N4 i
or execute SoftICE commands...
/ f6 D: E9 a! f& Q3 _* y s2 @1 g) wIt is also used to crash SoftICE and to force it to execute any commands
2 N! D+ n* x" m) c5 p. D(HBOOT...) :-((
& b; j1 P, v) e4 y, a7 l$ C2 } G
Here is a quick description:
5 T3 R$ `+ d. r: @! J! W-AX = 0910h (Display string in SIce windows): R+ J3 K. ^& C# n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* I P3 K4 j1 _' v( V-AX = 0912h (Get breakpoint infos)
# N% L1 x6 J5 r+ d$ J3 ~1 D' G-AX = 0913h (Set Sice breakpoints)
; W) G; S4 m7 [& e* ~-AX = 0914h (Remove SIce breakoints)
+ g, c9 Z b+ S0 I
: c/ l- q, u! q% d8 h+ p$ ^! jEach time you'll meet this trick, you'll see:
* l- @: M# D6 P0 l9 G-SI = 4647h6 n4 i8 I4 H" H
-DI = 4A4Dh5 t( E# h, z! \) E% \& ?
Which are the 'magic values' used by SoftIce.' T( _' z6 T+ Z1 y# |3 ^9 n
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. Y( d. a$ H+ i, q
" R& m% ^, b" f. d K H* AHere is one example from the file "Haspinst.exe" which is the dongle HASP
" [$ D" F7 p$ _! n7 DEnvelope utility use to protect DOS applications:& C* V, _! M3 H; i: {# H$ |; R
6 d# i& i9 k! `& U/ C4 A& u) P9 x8 C
4C19:0095 MOV AX,0911 ; execute command.) I+ z" A. {5 F2 G
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." ] }9 @; V" ^! q; @3 Z/ L
4C19:009A MOV SI,4647 ; 1st magic value.
; i& A0 l& f+ D1 s3 l. E4 t4C19:009D MOV DI,4A4D ; 2nd magic value.! m3 E- p/ A# O. @8 f% s
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 n$ i, \4 p+ `- d7 v0 m8 y1 K; @4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 x+ m9 m' W1 \- B+ Z+ y4C19:00A4 INC CX
/ g6 u7 J3 i2 m: X" a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( I6 s- D, B: ?8 t7 w: e/ Q
4C19:00A8 JB 0095 ; 6 different commands.
$ H' M9 U$ h! T+ f8 J1 o" s3 [9 `4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& H; W+ N5 e7 I% v* V2 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 S( S, n( x7 g* z4 A1 E" i
; V2 D8 o% M" j- bThe program will execute 6 different SIce commands located at ds:dx, which( j3 p6 F% h" Y5 }& e# d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* l1 f9 a8 T! V* Y9 n) M: M/ X ~: [' [3 E) s4 C3 S2 m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- ^) ~5 k5 x! V7 K" H
___________________________________________________________________________: g, y( Z4 l+ X* r) e4 e
2 Y+ [2 t9 z2 p; `
9 z% ? E2 J4 S/ FMethod 03: M9 m; g. o: z L3 q
=========* D* i% p: { C( f# b. X
% [9 e. W/ e+ L M; O7 fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( ?+ e1 _$ C" `" X( r+ A5 N
(API Get entry point)
5 H6 I0 ?4 h) e3 r( D
! K& a, S5 @1 y4 L' \* q5 ?0 C2 s
$ i( x5 s) ]! ^3 B/ ^5 o( J' Z xor di,di
" z9 G% o$ H& L% ^0 ^( u2 B, O mov es,di6 [0 _+ n+ d, Z7 c
mov ax, 1684h 5 U, [! J6 V9 u5 \4 ^* s" f* \
mov bx, 0202h ; VxD ID of winice* W! D6 }) G3 v6 i) `) L4 U
int 2Fh* M' y5 U$ K' F1 @
mov ax, es ; ES:DI -> VxD API entry point
0 ?) D4 j% w. I add ax, di2 o) u( R( [1 [! |( D p! `; c
test ax,ax6 g }; T5 ?5 ]) K3 H9 W2 ` V% f' [
jnz SoftICE_Detected2 i# x/ k! J" f5 x# ~2 G, A# C
5 q/ L6 H4 E% z( ~___________________________________________________________________________
/ `- a. m) \4 j7 Z/ I& n4 V( U
* c6 o: O5 E. `: dMethod 04
( ^# {6 t$ ^6 f" l) v=========
3 ?1 N- j3 Q' w+ W+ s0 V. n
# T# A5 R+ b7 S0 x3 S" fMethod identical to the preceding one except that it seeks the ID of SoftICE
5 p1 q4 F/ x# W2 Y$ M& `% {' F0 DGFX VxD.
8 n ~% t+ n# z: u1 u" d9 c' [# f1 j3 \
xor di,di
( X8 `1 X0 E. B; }$ x/ \( P mov es,di: G8 _" |9 f% z" h, F+ `
mov ax, 1684h
. f" s+ ^' h- ?. }; Q. r mov bx, 7a5Fh ; VxD ID of SIWVID
/ h8 j: v! B9 R$ X; X2 ~ int 2fh
& X: \: C0 {: ]. ` a mov ax, es ; ES:DI -> VxD API entry point
' s, `2 C2 x, ~, I add ax, di
. e) g9 y, V2 {! X" `' ? test ax,ax
2 K& c g9 r" o/ n: U* q* w' |( m jnz SoftICE_Detected8 g. |4 I' T1 s
2 u# K" h1 G1 ~3 u0 y
__________________________________________________________________________, F* f9 l0 n+ |1 l5 y
$ ~- i, ]) d) z
2 u. v: K5 M. x) G. b* l/ @Method 05& d5 X! ^" @5 M% ^
=========
" M' k( C. H {& g% B7 l
) @4 R. n) \& f. L1 c: Y ]Method seeking the 'magic number' 0F386h returned (in ax) by all system
. g4 H% p9 m6 j- m4 `6 Kdebugger. It calls the int 41h, function 4Fh.
O6 Z. d# G) U( T5 O& tThere are several alternatives. / e5 c: [- {" e! v3 c6 {
$ q) C. M4 S9 x: i- r+ @4 j, QThe following one is the simplest:
* ~: m, Z- Y% p3 m
0 O6 p8 p' J4 h8 \! b: t# ] mov ax,4fh. q0 h" j3 F- o0 U2 | w4 \9 h
int 41h
' k2 q" n6 s2 p& d cmp ax, 0F3862 Z4 x7 k% Z% x& J: J% w( x
jz SoftICE_detected
# v7 C! m# R* u6 i) g0 w( P
4 ~ V: V" A" @; W8 j7 s
9 h) B( T7 Z! Y4 X6 T: K! E {2 {/ oNext method as well as the following one are 2 examples from Stone's
& Q: Q" C: m* R" |* n9 M" K" Y) F"stn-wid.zip" (www.cracking.net):
+ j0 }/ R5 ?6 K$ n
+ j' l: T5 t3 U! n2 C# m b+ j9 N2 e mov bx, cs
- W1 F: A1 g8 s lea dx, int41handler24 ^7 q: d+ }! e. t! d
xchg dx, es:[41h*4]
. j" s" m6 _1 s xchg bx, es:[41h*4+2]1 g: r2 r" ]# T8 O ?
mov ax,4fh
. U/ H( B: `8 G5 ^6 s int 41h
' u1 L: Y5 F6 M% D7 t6 l xchg dx, es:[41h*4]5 B# m7 x0 b" B ~) t/ h" k+ G h
xchg bx, es:[41h*4+2]6 H5 t" p8 v" Z' v7 u# v
cmp ax, 0f386h) u8 c7 i2 A' {
jz SoftICE_detected; [) T) R9 u. _. M/ n% z2 A
0 ]; V2 ] ~6 vint41handler2 PROC$ H3 Z% T; T0 f, H$ k8 s
iret& }5 Y+ U- Q) x6 Q) N" [4 b% w
int41handler2 ENDP
% _2 I" b- R6 u+ E: e5 s+ X" D1 |3 Q9 r
$ V" X& k. x3 j, b4 i. f, g! b% O
_________________________________________________________________________6 {1 B( w+ f m' _* ?! r; d% S
, U& p7 s5 @, B- T! L
7 F9 {9 ]( T. D1 G' RMethod 06
# u: h0 J. b- H1 a, ?4 b=========" q- W! l0 u4 U3 E+ z4 q o4 \
3 f# _4 F% t1 |! C- f- N
# y0 S; q) v- N" g/ x2nd method similar to the preceding one but more difficult to detect:
5 i" }/ g4 X& k* R% }" T v( _ m* {2 _% w9 l8 G6 {
) i7 Z8 M# H' {6 Y4 @int41handler PROC8 A4 U! W1 l( h
mov cl,al6 q" P/ d0 n8 ?9 r- z# `
iret7 P/ X# U8 P- a* A8 m6 D
int41handler ENDP
2 A; U( X0 ? @* E) W1 b5 v# C' |6 q/ u0 v3 o
+ @3 y* T6 ?6 @; {# V
xor ax,ax3 k$ B5 l# A) Q
mov es,ax
5 s! p0 s; M! e+ _9 R+ K mov bx, cs* e4 O' t: w0 h
lea dx, int41handler( K" Y# E; i" {- b2 e6 I, U* z
xchg dx, es:[41h*4]5 _* ~* @; F: z4 ]
xchg bx, es:[41h*4+2]
6 d: Z( M$ E7 ^( ?" M in al, 40h' G! }" }* b' f4 U
xor cx,cx# x+ V; S! C. O* x1 P: D8 T
int 41h
, @6 V P1 z0 Z4 M" {8 D; i xchg dx, es:[41h*4]( l9 P3 [; {' w$ G2 t2 U; _
xchg bx, es:[41h*4+2]
& l# x, R M7 T' B! w# u cmp cl,al
, U+ \8 ~; E5 c: f7 h jnz SoftICE_detected2 ?; L$ F5 `+ q" E$ g
: j. g V5 K; S! g! ^$ g_________________________________________________________________________
8 f p5 h& P6 f4 \5 b* U$ H
) k! g! B7 \* g0 `& EMethod 07
! p4 q; x) @6 {7 o# {) y=========, |1 g* D5 M! ^- ^ F" N G
. S1 R# I. I# K$ KMethod of detection of the WinICE handler in the int68h (V86)8 k& Z5 i( E& {+ @1 ^2 r
' t: q3 o) I* o3 ~8 }- s
mov ah,43h3 f3 _0 J1 I3 d' z; m
int 68h' D/ H( V3 l w5 W; y) u$ ~* K7 N
cmp ax,0F386h6 \; p6 L3 {2 W8 v5 ^: F$ p6 }
jz SoftICE_Detected
5 ^# y, l. g! C5 }% X9 @5 q' i2 ]9 q) u0 c# B. s; Q& R
2 O- C2 J$ C) Y3 r# o6 Y* M6 s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* G6 a$ R! r" n2 e: {, b6 ]
app like this:$ z5 h- G7 U2 Z4 @8 B Q: g, W
% ^8 |$ H r9 z+ g% j/ S9 O! _
BPX exec_int if ax==68# u; q0 h- x. a, e7 l/ s' h$ g, w
(function called is located at byte ptr [ebp+1Dh] and client eip is0 d$ i: s$ N. L9 `; H) ]6 E
located at [ebp+48h] for 32Bit apps)
! O8 K' c1 c* S9 P3 j6 ^__________________________________________________________________________, g8 X% \) ~) @. Z( S
- x, j( H' w# `9 J: B* e, R6 _6 r
w6 T6 D6 ?- O7 QMethod 08
; |, R( g F" j; v8 S# P& u. {=========
$ v! B- U' z7 D. b
2 G& V n0 f E/ c2 V) cIt is not a method of detection of SoftICE but a possibility to crash the! |: K: w" y% K4 x
system by intercepting int 01h and int 03h and redirecting them to another# I7 S% P: M' Q
routine.% b% f, ~. U% {- G+ F6 x% Z5 g8 i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 S% C; i: |' d' g6 v8 cto the new routine to execute (hangs computer...)
' a( u* j& t6 S, e3 T) `9 _+ [: X3 ?% c5 ]
mov ah, 25h
, F- c4 V5 j) e2 s1 A" G) r. O! c mov al, Int_Number (01h or 03h)
$ k- g) ]4 j$ {. m$ q- d) K) Y( P mov dx, offset New_Int_Routine
5 q- n9 Y. {9 u6 t int 21h+ ]$ H8 s4 U/ m
1 q ^4 ^# H- h. o3 j- }
__________________________________________________________________________& c- S7 D6 B! _0 i- j+ D& e8 G
) |3 V( [$ A, A8 S! W3 O8 f1 M. GMethod 09' |2 I/ c& `% h; T' z
=========
4 |- K' Z% S. i
( Z0 }. w0 ^/ w2 l4 `0 |This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. B7 _- X5 J+ }1 Kperformed in ring0 (VxD or a ring3 app using the VxdCall).% M7 {! H7 y& Z2 \: E
The Get_DDB service is used to determine whether or not a VxD is installed7 j2 M5 j: U! @1 f3 B7 ]
for the specified device and returns a Device Description Block (in ecx) for
7 g6 g* i1 o8 e0 v0 ]that device if it is installed.
7 ]# o; H) C( @/ \) G# p& P. @/ a j# P7 t4 k' U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 \% Q7 q! j6 C) P* t2 O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ v1 P4 \3 K: _& S* q, I VMMCall Get_DDB
0 n; J! |4 N! ^. u mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; o8 `) w, M6 w. j8 ]" Z! G2 l8 C
" y, H: G2 [( W
Note as well that you can easily detect this method with SoftICE:2 U, F0 W! L6 a4 u; ]( u4 D
bpx Get_DDB if ax==0202 || ax==7a5fh0 [9 \/ _6 y4 a2 I: S8 g5 S4 t0 h
3 y; x( J$ w5 F" {/ C3 r; Y__________________________________________________________________________
1 Q* j& M& N# n8 q. b; Z: U! R; X+ [5 j; ^& u9 D1 f
Method 10
* E+ L' w4 B. F8 U# u=========6 _3 X% x' f& B& Y* `5 k) ]& M
- f4 V2 W' G) e=>Disable or clear breakpoints before using this feature. DO NOT trace with6 b4 @6 W/ g( V! f1 ^5 J# B
SoftICE while the option is enable!!
I) R" M/ [, l# R3 X! l
# s1 [) `* S1 Q8 U* M4 Z' vThis trick is very efficient:
8 T, x* b. J0 S4 s* yby checking the Debug Registers, you can detect if SoftICE is loaded1 I X T0 w" q y. V2 u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# g9 d2 L& J* I. A5 A* f0 u
there are some memory breakpoints set (dr0 to dr3) simply by reading their" L; p% ]; F) g- G
value (in ring0 only). Values can be manipulated and or changed as well
+ K$ y$ p% {8 f0 b1 _(clearing BPMs for instance)4 @ } B0 j d, x1 c- u t8 c
! `+ z+ n* e) b) W7 F8 m( r4 ~0 z9 `__________________________________________________________________________
4 b# k3 W3 t* n `9 V$ D, h/ }( J9 D* ^9 p8 u' L5 F. M4 f
Method 11
: Y; U- ` f* W+ l" q$ n=========; J/ B$ T' f, \5 g! ?, n# ?' v
. t0 A7 q8 d# x K* P, Y9 pThis method is most known as 'MeltICE' because it has been freely distributed
# I' U/ G, X- h& R% U# Wvia www.winfiles.com. However it was first used by NuMega people to allow
) }" Y1 j4 I7 l1 h9 r @( W iSymbol Loader to check if SoftICE was active or not (the code is located- i- A q5 @# P+ u
inside nmtrans.dll).
' z& P' ^" i& }, C7 Z
# A5 G) D+ S* D/ \: P) f) O6 zThe way it works is very simple:, ?5 j& K4 H2 k" | a# {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 I- J# Y3 a; j& U" s: o7 \( E& V$ EWinNT) with the CreateFileA API.1 N, v0 v' E( I+ x# ]
5 T. V/ K0 h$ P2 N0 f
Here is a sample (checking for 'SICE'):: G) t- N k+ _: L
% W* [% a: Z& cBOOL IsSoftIce95Loaded()
- n' ~ b/ `& P{
/ k4 o- I9 w; \, ~ W HANDLE hFile;
; f* o: L4 N8 ^9 ?; ?) b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 L9 ^3 Z& Q9 O' R4 l; p9 k FILE_SHARE_READ | FILE_SHARE_WRITE,9 _! f9 b) L! W' J# i- T5 O
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 ~+ j! C' N" K' k2 Y; B if( hFile != INVALID_HANDLE_VALUE )$ o5 }7 \0 C' `# p# T
{
, v0 {9 x" V9 v0 D0 |, m8 ~ CloseHandle(hFile);
: r1 W+ A% @$ J return TRUE;8 a* _; b0 C9 x( \7 o4 U
}0 {; C& B9 d( B6 M K( _5 F
return FALSE;0 S* O9 A- o+ }: p
}
0 `; _0 V. ]) Z( e9 P# n1 ~% Q; W' Y
Although this trick calls the CreateFileA function, don't even expect to be
) @) G, O8 {* mable to intercept it by installing a IFS hook: it will not work, no way!
- W- Y5 i! }+ A/ r: D/ E( l" n' vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- g N1 r# f2 t5 L& d9 i) N1 P& d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 L& E5 d+ [# H& Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc" D& b) K& K2 ]7 Q: s
field.# t9 A+ V8 e% N4 U; G
In fact, its purpose is not to load/unload VxDs but only to send a
' S1 o! `. n0 M6 n6 C" gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 c3 a+ [( t7 E0 z" @- p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ w$ h/ f7 e3 k5 m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: H, O) K( X# j& M' F1 Y) NIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 S3 m8 N' A4 }' B* {its handle to be opened and then, will be detected.; `$ w* L" o' Y9 X
You can check that simply by hooking Winice.exe control proc entry point
) A- H7 Q H$ r1 t% _4 Awhile running MeltICE.8 n& E4 [- U5 r* C+ g
6 h/ o5 ? K; q0 F8 L- I8 M
- k9 P6 O5 \" B' i7 i% p- u2 a! w
00401067: push 00402025 ; \\.\SICE
9 \: @' H. {6 b' W1 W 0040106C: call CreateFileA
- ]' L; V$ s9 j9 o 00401071: cmp eax,-001
) w' B1 D" b! Z4 r* B) {1 y 00401074: je 00401091
; O% K8 W$ p/ t' O4 s: \/ ]: h4 M* @; w+ k7 S0 C
/ L- a4 ^! E8 p$ o9 }
There could be hundreds of BPX you could use to detect this trick.
/ f8 o: n: P# D) h$ ^-The most classical one is:
- e# O! l+ \" Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 D" Q5 U* K, m# @' t *(esp->4+4)=='NTIC'
0 ?# U b6 n+ ]- c m
& _4 @& V4 E# m) P% A) F-The most exotic ones (could be very slooooow :-(
9 N' I+ u% x( x; K: M$ L+ x BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * U5 V! t* K6 F) Q: S. ]7 G
;will break 3 times :-(
5 s, g* q7 E* Z7 @ k& {8 `2 }; u: d% l
-or (a bit) faster:
+ ?( u# T/ ^8 {# \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ u& K* w9 r& j5 W- m) }! i2 x6 B$ l* J5 d# Y" f( D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 ~" J; @& ^9 d! W ;will break 3 times :-(
5 S4 q7 P8 Y& d7 t c9 f
/ f$ s3 t6 q7 v |! C7 `: {-Much faster:" x6 v) j6 T+ Y" [/ C2 _) [0 ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 |5 D0 l+ l% X1 j
! m0 a, G4 Y6 B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
[! S( B% O& A% _, ?# i$ ifunction to do the same job:
$ S# [* A/ Y8 z8 f1 j6 r: Y9 C. q, H/ b2 S6 y
push 00 ; OF_READ
, P: C3 Y; y8 z) V mov eax,[00656634] ; '\\.\SICE',0
" i! ^8 Q% ]. a5 {- z7 J9 p push eax
0 Y8 L* E! e" A. g: U+ D call KERNEL32!_lopen
/ r, z! a- ~2 S. \6 |2 | inc eax
5 J) V5 `: `3 ], n. Q6 @7 m jnz 00650589 ; detected
s7 \ G& L$ |2 [9 P push 00 ; OF_READ4 j$ L# @+ W- u) p+ d/ ^! T9 d3 y
mov eax,[00656638] ; '\\.\SICE'
$ w( s$ J9 c) O push eax( f2 e- M5 N; K$ ]4 r5 r
call KERNEL32!_lopen
1 ^3 ~% M/ S k$ Z6 ~ inc eax J) l- y; ^3 e+ h; I
jz 006505ae ; not detected
) l- } {' o9 s8 }, w) C* v' c- D+ @) r1 V
+ m" `7 T6 d, x__________________________________________________________________________
' R2 q' L( a7 c5 O) ` w3 O* E( M- h; @ v1 F1 k( q1 R& J. `; y
Method 12
- C, U3 Q5 g* V3 I=========
. D: |% b5 ~, B1 d( Z( m$ W. u m9 k' o+ j5 ~/ n
This trick is similar to int41h/4fh Debugger installation check (code 05/ ]. s/ Z6 K0 L ~, d7 [
& 06) but very limited because it's only available for Win95/98 (not NT)
" C: Q, l8 ^3 gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ A- m9 `/ v6 O* o. f
3 z: R! v, T' @0 `9 K c push 0000004fh ; function 4fh% `! q7 k# ]' l* o. c
push 002a002ah ; high word specifies which VxD (VWIN32)
0 [/ q5 h4 S) R" @% C ; low word specifies which service f/ R7 y) m# P! F2 e
(VWIN32_Int41Dispatch)
% |3 K, _' i2 B0 O/ N# [8 H- Z call Kernel32!ORD_001 ; VxdCall
! o" v( t7 F% u9 J' s cmp ax, 0f386h ; magic number returned by system debuggers3 V8 x7 R( d0 W9 f5 w9 e0 A! X
jz SoftICE_detected9 s9 ]* X* E X; K
& m& v. [" j+ V$ @
Here again, several ways to detect it:
" w9 p6 D$ }8 W# Y0 k A! ^ |2 ^# W5 `( b g1 q0 |) o" G E) U
BPINT 41 if ax==4f7 R3 E- z f3 ]2 ^+ @9 R
4 U9 B% W! U/ \4 W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, S0 ^5 i# v0 F" X" K, }, K% U
0 [9 |% [% {4 w: F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 m# _2 I4 t8 H
4 Z1 f; \3 d4 V0 U' n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( Y4 \& l* N" W& D, o
5 }, Y( r' I, r/ K8 Q% N7 ~7 \__________________________________________________________________________
g9 D8 w5 n) u. C* {- A, e( o1 Y r& X
5 X2 u" l8 X9 [% g' AMethod 13) {; L1 G" { G6 \. K, n! r y
=========
+ h/ u9 l# R- ~; a5 `8 O% t7 j- U. j* H; [ A
Not a real method of detection, but a good way to know if SoftICE is& S& B+ w3 l# V
installed on a computer and to locate its installation directory.: A% d# y! o! P' z! Q
It is used by few softs which access the following registry keys (usually #2) :4 L3 }3 ?5 w7 D
) t& _9 T0 l+ H+ S& a' e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ `! O( j; b3 w8 A
\Uninstall\SoftICE& E! l T8 B0 }) c+ Y+ u2 f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) r! D- \+ F# R3 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 R9 L Y# M0 _# z4 D+ E: p. [/ j O6 T\App Paths\Loader32.Exe
* G9 C$ |, _! b+ G4 `+ }$ M# d- J1 c0 y; ^
. Q+ l8 n# g* K" z# o7 g9 @; [/ H
Note that some nasty apps could then erase all files from SoftICE directory
2 k8 E; n2 ~ Y2 R5 K5 l(I faced that once :-(
8 }' _* B; f; W$ G# O# K/ L
8 `' Y( t E9 I- i& ` H( a$ E% m5 cUseful breakpoint to detect it:
0 [/ D* V& F9 \- L9 z) z+ P, D$ F) e" h: k4 o M8 y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' I$ n& m' g. L# o& Q# W( t
8 T- u$ [" K( b' Y A: F1 r$ q @, o* `__________________________________________________________________________
* Z0 O2 H: f( @8 C% [7 _
5 E/ D# H5 D' b
6 ]. v5 D, W1 \Method 14 \9 h q) r/ c G# p
=========
7 S" v$ M( J s8 ], T
( a0 z9 I+ ]; P- @1 zA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# W# e8 F( `5 e: `2 A9 b+ t0 o9 Yis to determines whether a debugger is running on your system (ring0 only).) v. F& ~; C, C) ^3 w
2 B2 e6 O( z9 f* q9 p# N7 M: ~" l) } S
VMMCall Test_Debug_Installed
$ L+ v; \5 b; t/ n je not_installed
) p0 V4 f6 `5 q) v: n; v+ k6 Z4 F
* \4 J* ~& ?9 Y1 L& |% F: V3 C0 HThis service just checks a flag.5 ^- w7 a5 k& T0 g
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡