<TABLE width=500>
. g9 x3 p# x# M# e! o+ S<TBODY>
0 X# |' J9 L1 i$ M1 j3 g2 M9 E<TR>+ ]1 L8 Z/ Y6 \7 y5 L/ n( P+ n
<TD><PRE>Method 01
3 S; n9 U# W [=========
5 G; y3 p. L$ n$ a5 z% @9 i# l, V, z3 M }
This method of detection of SoftICE (as well as the following one) is
- M3 C0 J5 _6 C3 Dused by the majority of packers/encryptors found on Internet.
/ g/ g# V# w; _& ~5 @+ w) ?It seeks the signature of BoundsChecker in SoftICE5 l: O9 v4 w* [0 Y
+ N, @% p" P+ A( w! Z" X+ l
mov ebp, 04243484Bh ; 'BCHK'$ R- |" X( }% w& Q3 l% D+ y2 E
mov ax, 04h
& o3 L9 a1 o8 x; s) V8 u* @ int 3 / {( r4 ?& B; N, }' E7 n
cmp al,4
3 t4 k) Y2 R! a( p; a jnz SoftICE_Detected3 G0 k/ x4 L& |
4 a9 Z3 k+ t* X! k___________________________________________________________________________, N/ V4 v; y3 l8 Y. l8 @! _! q; h
; |8 c$ _' B9 R0 R3 {
Method 02/ ]3 Y) {6 |! k, j: H- m- f0 F
=========& Y. J1 [, D$ a1 W0 h
! P, T) }# H' Z+ b
Still a method very much used (perhaps the most frequent one). It is used
4 i) `+ w, I. N" oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 K) t1 r/ d' [) b T) Uor execute SoftICE commands...
3 d9 i6 N( R! _$ {& XIt is also used to crash SoftICE and to force it to execute any commands [9 Y2 {! E2 K" M8 Y) }; M
(HBOOT...) :-((
. O4 b% W, X* g* |: a! h/ t. L6 z# ^2 H7 B
Here is a quick description:
& C+ y8 X2 w. J. x0 Y0 r-AX = 0910h (Display string in SIce windows)& @0 K( b7 z# [0 Q7 L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) i$ o8 M- ^/ @
-AX = 0912h (Get breakpoint infos)7 A* |) b6 j0 B; s u1 [
-AX = 0913h (Set Sice breakpoints)$ |: q' s* ]; i
-AX = 0914h (Remove SIce breakoints)
9 h- Z/ f1 R- Z5 P+ g* O: s& }
$ f9 V M; H* FEach time you'll meet this trick, you'll see:
4 ~- V) y3 l$ h1 x' [* ?, f0 Q-SI = 4647h: s% K8 k5 h; Z4 D9 h3 [ \
-DI = 4A4Dh- L9 n$ D; C) S: T2 l
Which are the 'magic values' used by SoftIce.$ r8 `* r7 N# D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 W9 l' O9 n8 G7 A3 c
) F- F, G: I) B) W7 }( s
Here is one example from the file "Haspinst.exe" which is the dongle HASP" z* N t/ s' Z# x
Envelope utility use to protect DOS applications:
+ a. ?2 p( J( C; H. R$ V' z6 i0 }3 R" c) U
6 i/ Q a# k7 h; e* {4C19:0095 MOV AX,0911 ; execute command.
" q3 j6 R+ U/ I) V* U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; a+ C0 q7 j# y, W1 |% M2 Y/ \5 @4C19:009A MOV SI,4647 ; 1st magic value.0 V( A' [, q8 i* x2 \- `( C4 A* R8 Z
4C19:009D MOV DI,4A4D ; 2nd magic value.! ?& y6 i7 i: V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" f( l/ _) b6 c% y3 p4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. O: F- E- k+ g6 k4C19:00A4 INC CX
% P3 c' U8 {4 p5 |1 i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( J; ^% ^7 J( v- q7 s- u) C+ O( c
4C19:00A8 JB 0095 ; 6 different commands.6 Q3 ^- D! k4 T Y5 F' C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) T# \ O9 p0 A+ t- w
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 `3 e6 [6 Y5 o9 V
) D. Y' |! ~2 [5 {+ S' l7 AThe program will execute 6 different SIce commands located at ds:dx, which! \" H* s- {& [( y6 I; Y( }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 l2 v2 X7 q; L" b2 z9 m. A/ q- f1 r. a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: C- }% S& @" |
___________________________________________________________________________3 R, `0 o4 f" n. r! b4 p
) r8 b, U. G P' T2 G, B
$ j" c" w: g# @( G+ K( |# H0 h+ @
Method 03
% [7 c; r/ }4 @& r$ z9 _=========; l9 |$ ^) ^+ ~8 i
/ G7 R8 w- ^' {' R6 z$ eLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 n& d1 u) x1 ~5 J; D! i4 X(API Get entry point)
: T4 |9 D, e; w8 w2 | ! u t9 E1 d2 b; {/ n
D! J3 Z0 v9 y
xor di,di
0 e3 r' {, h- ~ y+ |1 s0 P mov es,di( E* A0 p: }! c) J% Q' O4 b, O' d! D
mov ax, 1684h
8 I5 d4 Z# E' X# N6 R mov bx, 0202h ; VxD ID of winice) o$ m+ X1 a w0 ]* q- ^
int 2Fh! \- |9 ~* t; z% K
mov ax, es ; ES:DI -> VxD API entry point
- R( x3 ^) n2 i5 C" x add ax, di
b) p3 i' T! K% `9 o$ h+ y0 C2 c test ax,ax, c! M: P$ R. N* {# P
jnz SoftICE_Detected
/ c( i g* ? H' z
- F0 }. a5 @5 f% c; Y0 I___________________________________________________________________________
. x1 B% }: D: q$ x, Z) t4 U* h3 m R5 ^" `- N
Method 04
7 }; F& w* ^1 O=========6 h, ]& _. l" p$ V6 H; ~% I/ w
4 G! R4 z" k) l
Method identical to the preceding one except that it seeks the ID of SoftICE
0 c/ t/ ~( _) s# _3 vGFX VxD.
" Q1 ]/ J/ y6 {4 ~7 Q
# g. d# @: W$ \" g! T xor di,di8 c. m5 w+ c% t: m/ p# ]& |
mov es,di! [, ?- {" `( Z+ L
mov ax, 1684h 2 y# r3 o8 |! R6 c. V& B
mov bx, 7a5Fh ; VxD ID of SIWVID
3 A' c; l" E( T7 ^ int 2fh& N: j/ |. Y) f% h3 J
mov ax, es ; ES:DI -> VxD API entry point
+ y' i) T2 A$ F: H9 `2 r add ax, di
; c2 m* _0 H+ I. | test ax,ax: T0 M" I( v6 e+ T
jnz SoftICE_Detected
6 ^+ l' @6 N2 A4 |2 W" m- m9 {# N8 I h4 a2 Z6 W0 D0 W* Q2 r
__________________________________________________________________________% V6 v+ o7 S4 k0 R- Q) \
$ p( n' F b7 t
x, e! l) @4 R) Q& k7 ~
Method 05
9 @( O3 h+ Q& o=========
4 m0 \ H) @9 H; m N8 g3 T1 g
1 f/ w. i# h: ]Method seeking the 'magic number' 0F386h returned (in ax) by all system: g( M3 P5 Z! b: C! e
debugger. It calls the int 41h, function 4Fh.
M1 @: k% E+ C/ T' J$ p# {There are several alternatives.
\$ U( E( A, G& s8 z2 F o, X1 m
! K% i3 k T: u* d) |: PThe following one is the simplest:$ s. t: R# W: ` Q' N% ^4 U
) ~' U; X* s# P0 y& b. | mov ax,4fh) Y* a( M `/ p3 Z/ Q5 A* r
int 41h- w* g! }6 W/ V* E7 u5 }8 O
cmp ax, 0F3864 o7 y! d1 J) i
jz SoftICE_detected- R2 z! E6 J" q* r0 g8 D2 e8 M. ]
: I& J( F( q6 ?
& w6 h2 h! W; I7 m' ~: CNext method as well as the following one are 2 examples from Stone's
Q: }" z9 h; H6 J' M"stn-wid.zip" (www.cracking.net):0 V& X0 `( d0 g+ ~
, I+ S# y A7 Z& j1 [
mov bx, cs% }( Z, G! L* B8 v+ K$ w
lea dx, int41handler2, V3 r- Z+ Y- x4 A; h6 L
xchg dx, es:[41h*4]
! _, B) K% Z( T$ f8 H4 Y9 L9 l: C xchg bx, es:[41h*4+2]: v4 z: a, @( _& c2 _
mov ax,4fh
( C& D* u# T- d% g6 l7 b- ~ int 41h
2 H+ H, j8 }( W C6 w" b xchg dx, es:[41h*4]) e6 s! Q6 _- m' M) v' E! q$ C: X
xchg bx, es:[41h*4+2]1 @7 W: @; E8 L$ I! E
cmp ax, 0f386h3 c. k$ v: F0 Y; o. i
jz SoftICE_detected4 T" i+ \3 @8 i- ]/ o/ I
. t/ a# L/ k" E4 j& Kint41handler2 PROC
. V" F I5 R8 k; `3 ~# K \ N6 h% J% l iret. J& e( ?6 ~# v; N2 _
int41handler2 ENDP
& I2 X4 |4 D, I5 `. j9 v1 c3 H1 I* K- Q8 ]4 Z" E
* K) y* q( c( G3 K& e* e
_________________________________________________________________________8 a: _4 }& Y3 A; ^: f
; A+ r+ o4 r8 y8 N% D7 h
: V" e2 F$ n b( d6 p: eMethod 06
6 N# l( H' b; H0 o3 M: Q=========
! J8 W& y" S2 S; j8 h7 Z
/ }4 J, O/ v T- Q7 D- l; S
# f; M1 n7 M7 T. E1 o& v/ m& V' k2nd method similar to the preceding one but more difficult to detect:
9 t/ R, M4 B5 c7 S3 R$ J8 V2 Z2 @2 Y0 @5 {9 Z! j
, B/ _/ B4 b9 `$ J& Eint41handler PROC
8 W9 t" s' f- p3 h" g- A! X mov cl,al2 o3 _" A: E# A- r6 U
iret o" ~- ?0 Z2 Y# d1 o
int41handler ENDP
2 E0 j* R$ m$ Z
$ A+ N1 U5 U! v$ g* E* i2 d7 s, ?
xor ax,ax5 O) H O+ j# Q( k0 j% C. O; r
mov es,ax6 {( S8 {7 ^0 Z3 i) p/ D% B; _$ z
mov bx, cs
3 s# D" F* J4 h lea dx, int41handler# E5 `8 X7 o% x7 |
xchg dx, es:[41h*4]0 G* Y0 _& Y2 C& y3 Z$ h) c3 |
xchg bx, es:[41h*4+2]* ^! z8 V% ^. y5 P! v$ V# t% s3 s
in al, 40h
. d( u- n% _7 m# X7 g6 k! q3 K xor cx,cx* A' H/ G% b8 ^5 f
int 41h
: a, J1 l$ \% I/ Q xchg dx, es:[41h*4]
" p E9 x* n4 Z, A xchg bx, es:[41h*4+2]# m: \5 A1 ]& M/ H, w* h
cmp cl,al
E/ d( C2 k6 }, \ jnz SoftICE_detected
9 f l2 v, M# W/ ?+ L" g# J# {" K
6 G0 V$ {2 s4 F# M2 v_________________________________________________________________________: M" a5 B; s" Q; Y" W& P, {
8 e6 h! v3 B0 D) {& _1 D
Method 07
& F' d) g9 g$ j& B& k=========
) w* x0 q: j- j8 |0 Y4 w8 h) Z8 R+ K1 A/ c0 D6 ^6 r
Method of detection of the WinICE handler in the int68h (V86)
6 s' G; n$ z# l7 X% L J. F' p
" s4 Z5 [! A" ]3 p6 |5 h; `; P; t+ e mov ah,43h. `, f2 L- ~3 D
int 68h
5 U. M9 A# X# i" f Q( {! l cmp ax,0F386h
$ g: T7 V+ Q" v: F$ j. Y jz SoftICE_Detected
5 t& k1 m# T& ^' U$ X2 Z
3 _3 U3 K1 }1 E! B9 c$ u
, A9 M0 E: C7 B. {* c=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 B* A0 w+ m3 ~! R app like this:0 o& N" v" L4 J T3 @ e
7 P5 K1 @! u- V0 g BPX exec_int if ax==68
) Y1 l& Z' o/ T! t1 d# m% J (function called is located at byte ptr [ebp+1Dh] and client eip is, }8 i, O% y# m% y* ]+ H
located at [ebp+48h] for 32Bit apps)
5 ]5 L5 }" P6 z3 Y: {+ z__________________________________________________________________________( L- a# }% Y5 Y% a- j
: R. J: E6 P4 ~ l0 U/ u
- o' G/ n) x/ ]) j
Method 08
/ v- A1 d) ~2 ~=========2 a1 d1 ?. |. _9 W
( R+ e7 t4 N1 T: e3 f$ h* Q3 X4 V$ ]
It is not a method of detection of SoftICE but a possibility to crash the
2 A. E' p/ e- C! U L0 c1 S4 F7 [8 lsystem by intercepting int 01h and int 03h and redirecting them to another8 i6 y* g% f# d# z( J
routine.
2 Z, q& [4 w; O# j! rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! |8 S; O: e# c5 ^: G1 B
to the new routine to execute (hangs computer...)* l& X+ E9 g, o( Y9 i& P* @7 _
" _, ~) R$ Y( V
mov ah, 25h& G6 q; Y* \0 a2 v; g
mov al, Int_Number (01h or 03h)
. C x0 u/ D3 Z- e mov dx, offset New_Int_Routine* I- a7 L! ~5 W0 [3 g6 n( t5 ]- G
int 21h2 S: d# }$ h) W- M. |) @
4 b |0 H: L9 {0 [1 L1 P5 ]__________________________________________________________________________5 u" y- ? y4 I8 X% \2 d4 Q+ ~. I
4 I6 I8 d. c2 p9 {$ e2 r4 g
Method 09
8 N1 Q! x$ Q$ N+ n+ u7 {9 F# k=========! ?- O y7 ]8 V2 W+ d1 D" Q- N
/ V9 C3 r- F4 s4 oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! N) r5 k* F$ v8 z2 X
performed in ring0 (VxD or a ring3 app using the VxdCall)., J4 `7 d# k6 G/ E% z- I8 A2 t
The Get_DDB service is used to determine whether or not a VxD is installed
9 a1 B( Z1 V, S: Dfor the specified device and returns a Device Description Block (in ecx) for
+ q) K7 m d& B/ q( X$ hthat device if it is installed.1 Z9 u5 M. B a" N
2 `. D1 r! y& \" b0 N+ m2 ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 D1 x9 D* Z) O# {" v! X- ~( B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) l- D% K% I- R. r* A6 i% ~/ k' b6 g( e
VMMCall Get_DDB9 _. S* a( I' }2 e+ ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, V& m0 M2 M, Z& r
' L5 |1 S3 _# w8 z$ ?/ L; A; O* H" [
Note as well that you can easily detect this method with SoftICE:3 ^2 \4 {0 T* F: X3 y
bpx Get_DDB if ax==0202 || ax==7a5fh
% @# w! l8 N6 `4 p" M$ {3 `6 P% G' _; ~5 i' Y8 ?7 w
__________________________________________________________________________
; W, |* S# |7 N1 ~( b s; e" ?, F8 p8 @
Method 10
. u& {, T3 a) d. E=========
, ] D& y4 b4 h- E; {' Z% x5 S
4 v8 B5 H; ]4 ^& p=>Disable or clear breakpoints before using this feature. DO NOT trace with
' T: ]3 a2 o2 ^. Q! H SoftICE while the option is enable!!
. ~4 p6 R+ n( F& e* P( ?4 N3 H9 f/ {* w5 ^
This trick is very efficient:
2 d: e( d J/ cby checking the Debug Registers, you can detect if SoftICE is loaded
2 ] ?& |2 p- o m8 { A8 V) \& }1 d(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* }% X$ x7 r8 R3 K: ^% W
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) g/ {) v+ E; j! t9 s) Jvalue (in ring0 only). Values can be manipulated and or changed as well
3 H+ Q! Z K. n2 y1 H(clearing BPMs for instance). C4 A$ l5 e! e
, W/ a6 z) V& v# g2 G" H* D
__________________________________________________________________________
6 i4 v4 g' T& J: D0 B5 n; z! k9 F" [2 {0 W5 t
Method 11* z1 h- \& Z( u
=========( k9 p2 c# R* h, ^5 y: _
% N1 O: N& B ]/ @This method is most known as 'MeltICE' because it has been freely distributed
9 Q: B( ~2 n; i6 Y" \8 _/ I/ `6 D. Fvia www.winfiles.com. However it was first used by NuMega people to allow
: D$ b: B) B: S8 G4 A$ SSymbol Loader to check if SoftICE was active or not (the code is located$ _, B6 c% Q0 `- ^1 m3 ~
inside nmtrans.dll).# u( {3 f) o) l$ B; W
3 L5 s2 F/ a h! @" F3 T B! i
The way it works is very simple:2 g2 k- Q* @+ Q2 i: B" A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! h, F) f3 i/ z) Q
WinNT) with the CreateFileA API.
3 |* M/ l- v' i, N2 ^* F' t. m7 q
- w* P" f5 A9 c* H8 R; zHere is a sample (checking for 'SICE'):) _' E" [: C" H, p) Q1 ?
+ ^2 ^! D% R6 t# S3 L; G
BOOL IsSoftIce95Loaded() u* |4 x+ P" ~! t g5 O
{
+ _! n1 h( ~3 C) T5 n. ^* ? HANDLE hFile;
0 n. t0 ]$ p9 s6 K( U& D hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 c' F2 m% ^% [4 { FILE_SHARE_READ | FILE_SHARE_WRITE,3 ?( g" @ _$ w. g0 X2 `' C1 U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 i% ]4 T! U7 Z8 f6 W, s+ w6 s
if( hFile != INVALID_HANDLE_VALUE )$ Q3 r8 Z# H' k/ n
{* C& Q) X( n3 P' z2 O
CloseHandle(hFile);
6 S) ^ w& a) c& U7 z3 l9 x return TRUE;
! t f3 P/ q! b$ O7 W }2 \ {+ k7 j9 n
return FALSE;
( K# g) q$ \8 v1 i}
9 m0 W7 ?" N- H0 j) l/ L* f1 V1 ^9 ^, Q* l. O' ^
Although this trick calls the CreateFileA function, don't even expect to be$ c% U6 `( N1 B9 b; s& w
able to intercept it by installing a IFS hook: it will not work, no way!! F0 y6 N/ Z: C8 a$ C4 [3 _6 D; v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! U$ b8 S$ } `4 R3 B$ N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& G3 V3 ?& z6 T6 k7 W6 C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 P( C/ o1 c% M) t% Z
field.
: R: v3 Y, a& e* M! SIn fact, its purpose is not to load/unload VxDs but only to send a ) F; A& e0 X6 @. ^9 _7 n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# S% c; Q- k- \; xto the VxD Control_Dispatch proc (how the hell a shareware soft could try. T/ n& U$ j: B# Z- l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 E* r2 ~8 C8 j: B @# ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. d+ C/ n8 d' _7 |; H5 @2 U( Aits handle to be opened and then, will be detected.. e& A% N7 D: g7 g) M- q
You can check that simply by hooking Winice.exe control proc entry point/ ~7 _& ?- M) R2 s
while running MeltICE.
) Y& z6 {9 @4 j, ]) _! F3 ~& _' v, O# G
: |. E- j* [2 T" }
00401067: push 00402025 ; \\.\SICE
4 {8 O8 M4 b8 a3 t& V3 w0 D- h 0040106C: call CreateFileA2 s1 X, Z' g A$ y! \5 t0 r
00401071: cmp eax,-0017 h% { O6 N+ U0 t
00401074: je 00401091# s* c5 Z0 i: r7 H% b6 X% N
& m' O8 n1 j* ? N7 d
. u9 Q! H o4 p- u* F6 E
There could be hundreds of BPX you could use to detect this trick.; E, Q8 {8 k4 j) q6 M7 }' z8 a
-The most classical one is:7 G W# y( k- n. O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 k* F w# I0 \7 }- x' K *(esp->4+4)=='NTIC' D4 p8 T- Q3 W" g
3 c0 {$ p% { ?( g' U. J; ^4 k* i-The most exotic ones (could be very slooooow :-(& W, z. H* r! h; e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 x2 p9 M& r2 m/ u1 Z7 K6 K, @ ;will break 3 times :-(
4 z. Z$ I% M9 y$ Z5 I; ]( e' M1 b+ t0 ]4 D) E. h
-or (a bit) faster: V; S6 @0 k0 j( _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! s* X- f( N4 K% U# l7 m/ W! C
6 r7 O9 ^. l6 [* [+ t BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# d. L( w$ z8 G0 U, @1 } ;will break 3 times :-(
+ k: g$ Q- p, ? B/ t2 e0 b6 s7 t. _7 Y$ Z& S. C! ^
-Much faster:9 |- ]% g& ?& I" {" Z5 q7 A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. k; C, Y0 ]1 Y6 q$ e+ i
; u$ a$ L# B8 P. V. i3 Y; @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 F' l- ^# N; l, u
function to do the same job:
7 j* Q) D3 o' _, g- P
g' Z. c8 i j: Z) y( j push 00 ; OF_READ/ g. b) D2 v1 J' k( A8 o6 M) U
mov eax,[00656634] ; '\\.\SICE',00 ?' o. g. p% k$ F0 H( ?0 k/ f
push eax
1 u9 W {2 W# P+ \3 r3 c; } call KERNEL32!_lopen
9 s9 g# v$ C8 `. k/ C0 e inc eax, g; t+ ]% X: D% c: G+ E
jnz 00650589 ; detected9 R/ O: M N+ K% W
push 00 ; OF_READ+ s' `; M: A2 y4 A
mov eax,[00656638] ; '\\.\SICE'6 a+ R0 N2 s7 l% c- o+ J: f
push eax% ~, l2 J0 x: f" N
call KERNEL32!_lopen( h1 y r6 F4 R# a& w2 _5 R* g
inc eax, m5 s8 A+ b+ H6 U4 f7 w
jz 006505ae ; not detected p' Z7 i S8 z, R
5 o1 _( G- K' }* \! K1 v! ^: O% S9 Y9 G7 C/ W D# V# D4 b
__________________________________________________________________________
+ V) T2 _! o0 b" N
* {# r6 p5 s1 M, [Method 12
4 Y9 H# n/ p+ C8 G0 ~4 L=========
, E* ^# _" i* a/ h
( c+ q5 H+ G. y! `This trick is similar to int41h/4fh Debugger installation check (code 05
7 v8 |9 D! d/ k2 W" d8 p* g& 06) but very limited because it's only available for Win95/98 (not NT)& q1 V2 e g/ k0 T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 P& b6 R- n+ e8 U% ^+ }/ M
% P* R" E: ?7 y$ z9 n: b3 U i E8 b# j push 0000004fh ; function 4fh6 T# A' Q# I9 { o; O, z
push 002a002ah ; high word specifies which VxD (VWIN32)
4 Z; u4 a; Q. e8 X$ u: K+ Z ; low word specifies which service
( @ P$ Y J# {1 w% Q1 _2 P; _* I2 e (VWIN32_Int41Dispatch)
' @! b2 k' n( x( r call Kernel32!ORD_001 ; VxdCall
6 _% n( ~+ F! i* \ s cmp ax, 0f386h ; magic number returned by system debuggers
3 q9 |) w. y u5 |7 e- j6 o: E jz SoftICE_detected, e0 Z4 l! x" @. F% C, T; O2 I0 |
% P" A+ x) p2 s4 }
Here again, several ways to detect it:2 A& Z4 C% u1 }* X* q
5 V6 h: l: E u
BPINT 41 if ax==4f+ H; _8 J* Z# R9 \( d# G
& v) M! O2 Q$ \) e. k( b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 \2 k3 U" L+ f+ `9 J! _! D# ^- Q
) n2 q& |) ~4 R; r0 m/ N: I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 `) q+ m1 w# Z
( \# x" J4 P: b7 C3 f8 ^) ]4 T5 E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- {& z$ Y; b; H: F7 {
' t" g. ~* U* L D9 S! x# ?
__________________________________________________________________________+ O& }$ w9 a. ?# u: G, ^: y
1 ~: |# a" M! f7 l1 N8 {Method 13
# S3 A: w. j# E; C- Q=========
6 U. a: i5 i6 E0 L2 @
1 v5 p) D! G' _ f% s% ?+ M& M( m3 lNot a real method of detection, but a good way to know if SoftICE is
6 R D2 e$ i$ ^6 ~" ~) E' zinstalled on a computer and to locate its installation directory.( p2 L0 v5 y1 u) n& x) _
It is used by few softs which access the following registry keys (usually #2) :. G% [4 R2 d: ? [4 s
& O( u' M/ } ~ R g9 T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 p; H! V4 w/ x$ h7 v! ~6 Q
\Uninstall\SoftICE
. I$ ^( z3 h$ I* b" Q* m" n% P E2 t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" X7 ]( F" K% \. f3 W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 {, ^ Y# _$ X! L/ U) L
\App Paths\Loader32.Exe! [5 ~: M F0 t9 e8 Y3 \
0 ?5 j+ ^5 N* m$ |5 Z8 W
4 u- r( S# Y( b$ u
Note that some nasty apps could then erase all files from SoftICE directory
# z& \: X5 [6 F0 m(I faced that once :-(
. k' D; J" {8 p4 j+ w# d; a, N4 v; F" [$ c4 j+ i: _
Useful breakpoint to detect it:" @6 B% i. R$ T4 U5 O; x( [
" k) Z$ i1 c1 K# d" u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 }, g) h' ]5 g6 a) x) p
3 L7 s+ ^; O7 {__________________________________________________________________________6 g6 O: \3 B3 S( Q
/ ?0 |8 B- X" G' Z
& S- r" F; T3 M# _# MMethod 14 6 G$ m0 i E% d% F
=========. ]# }( {5 }+ J% m# h
# U7 c* W8 B- [9 ^, aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" z: p4 U' F6 j. l
is to determines whether a debugger is running on your system (ring0 only).
3 m! j+ Q0 o! U/ @$ H/ Q
4 j2 Q( O# T3 @1 d0 n; z VMMCall Test_Debug_Installed
% o* D; V2 U I ]' ` je not_installed
# e/ M$ \# `1 g: a
) S- _' H9 X$ A6 S! uThis service just checks a flag.
4 ^+ L$ R# @' z' o, }% _) v</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡