<TABLE width=500>
Q: L& n4 \$ ]. ^6 w<TBODY>
( F Q) n K) ]2 ?4 v3 |<TR>
9 x! m; ^& m/ @- M. W5 _7 E6 \<TD><PRE>Method 01
# J. @! H @3 J; A=========
4 d' y* J* `( w( M
1 T% m, d/ G" P2 {# L* [This method of detection of SoftICE (as well as the following one) is* Y9 x& H" j& O
used by the majority of packers/encryptors found on Internet.
2 v0 c% q( W6 X3 T* bIt seeks the signature of BoundsChecker in SoftICE" L3 D9 T8 p3 f* |4 z, n0 k
8 [3 B/ m" T2 S$ B$ F
mov ebp, 04243484Bh ; 'BCHK'
1 C1 D* ^# h, {1 \/ B mov ax, 04h
1 _, T3 ?2 H2 z; w- Q int 3
3 M6 Q1 L# K5 i2 Z* _" t) M4 i$ ^* d8 s cmp al,4
% Y& L. V: j, ]! ]" ]! U" w0 P- | jnz SoftICE_Detected3 b9 Y3 o2 O! ?
! p. _/ w0 C( W$ l4 u1 c9 S
___________________________________________________________________________
2 B2 q7 o! B: ?6 m( y. i
2 S; i$ W! J j( mMethod 02
7 g0 ^# S' D* J! K; h$ n=========2 H- o# Z6 |# r% a' V
7 m. r; S& U3 I4 ] x! d" N' uStill a method very much used (perhaps the most frequent one). It is used: ?% e& L, i: E- f3 B+ W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* z( H% R* J: s; k- x' Dor execute SoftICE commands...
( L5 }, R; e ?It is also used to crash SoftICE and to force it to execute any commands/ A) t3 M4 n A) F) t
(HBOOT...) :-(( % Q, R& l" M% c4 X$ m8 o
- e, u- U7 _& l) F5 `
Here is a quick description:
0 @' O( m; N, S; i+ M-AX = 0910h (Display string in SIce windows)
: E- @) U4 a' Q% e- y* Z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 T4 e/ g% }6 ?; I d3 y
-AX = 0912h (Get breakpoint infos)% B6 ]. R7 D. B( E
-AX = 0913h (Set Sice breakpoints); r* F& z/ c" G, I
-AX = 0914h (Remove SIce breakoints)6 Y" S' h" w1 } b& }. |
3 H6 e4 | W$ o* J3 ]! C# h' }Each time you'll meet this trick, you'll see:
) p1 l6 {! J a7 p5 m9 Y! o0 a8 f; `-SI = 4647h
$ h6 @- M5 L4 w( k% n8 _, a-DI = 4A4Dh
- `( o7 U* |& I8 p- I) }Which are the 'magic values' used by SoftIce.6 b% e3 u+ H. m F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" Q. i& o( n8 f# n( \& J* E0 g9 }* y, c$ R1 @
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( w1 E& w9 p; e' `8 P0 o5 AEnvelope utility use to protect DOS applications:
9 d$ P P! ]0 {- i6 q7 Z: f3 P9 _3 p' M8 w- S: V
G1 Z3 p8 k/ ^+ O! n7 L1 k
4C19:0095 MOV AX,0911 ; execute command.# @" r+ X" k, B) e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). U' u2 _- k9 U4 ` I
4C19:009A MOV SI,4647 ; 1st magic value.
* @ c6 m e& z$ b- }5 ?) S" y4C19:009D MOV DI,4A4D ; 2nd magic value.; w/ Q7 a" R8 h& Q4 b Y, W
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% @( [# s' R# n0 t) ]" o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 ]. Z# U! _# a" O9 D3 |
4C19:00A4 INC CX, R- X" e2 a2 s( x9 g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 Y( ^! ^6 }& y: p: u1 O7 `% N& G4C19:00A8 JB 0095 ; 6 different commands.
, j9 O& R p- ~0 A/ ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) f) F, X0 e; S; n- U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 \. U8 j# i8 H! z9 N- d
9 ?# L# o4 l/ h0 `0 ~- n! B# S x5 j8 n
The program will execute 6 different SIce commands located at ds:dx, which/ ^% O- o$ V( k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: {+ f8 F0 I7 X; F4 h& d3 Q6 M$ z( {4 L ~1 h2 R, d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 d; D% N. ^" W- U# ^___________________________________________________________________________+ P+ q- V6 o9 O3 r: C0 r2 ^
' M; q, m2 d8 @1 V# W5 w& o+ `7 [+ v; K2 F( |, x) w
Method 034 v: M" h7 e3 c5 ?2 `3 B4 {
=========
# @# i) k6 @5 I/ Z# g' s
; ~# v. _5 C, Q& u) W: X7 u GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 C6 X$ ^ \* u1 R3 A; B. e
(API Get entry point)
) W# T4 k3 h7 s4 G- k
4 l$ J O U. Q7 t3 }
7 G( K% c$ D# v& H! v xor di,di
8 Y8 |2 ~3 J) y$ l: Y mov es,di
; x- O- N3 Y1 b; r' s; @, t: p mov ax, 1684h
3 T* z( S# u% m# g mov bx, 0202h ; VxD ID of winice
' m/ F/ y- v- x int 2Fh# j0 A1 k' G+ Y0 m, h4 ]
mov ax, es ; ES:DI -> VxD API entry point
' n0 b! l; o% w7 G. X add ax, di
4 e5 y' r0 \* z test ax,ax
4 ^; [6 r7 ]0 g! Y jnz SoftICE_Detected
; _2 _: g0 g7 h8 ~# |' k, G$ e2 h* _9 [" a
___________________________________________________________________________( B! _* O% X1 G( V% R% d) o8 j
+ {" x I7 i( ?% n: T `Method 04( o3 H; f- \6 k
=========3 K4 u- i5 F( E9 @' d6 W- H4 T4 t/ H
1 q+ x. W Q Y; U7 k' ZMethod identical to the preceding one except that it seeks the ID of SoftICE7 L* m1 ^5 }7 d
GFX VxD.
# S7 E2 @, U+ o0 ~5 x3 A. C6 ?. _7 s) r/ E! G
xor di,di
9 h. C9 h( \( K1 X& }$ { mov es,di8 a- l/ R. v( ~& x y* A" U
mov ax, 1684h
; t* f5 h6 e/ {# D+ F* J mov bx, 7a5Fh ; VxD ID of SIWVID* F& \7 q5 I1 I- M0 Z9 b. h- \
int 2fh
. _+ B* O% L: D4 A T L+ R% ~/ c2 y mov ax, es ; ES:DI -> VxD API entry point& S4 c! ~& i- N
add ax, di7 q2 ~! O9 A6 O4 V' Q
test ax,ax+ B1 S& ^; ]1 a0 J+ \& t
jnz SoftICE_Detected y! ]/ z2 d. V5 N7 d
/ H% U2 U5 R3 ~! r% D: y0 t3 u6 t
__________________________________________________________________________
6 q s7 S# `" Q
( \1 d) a1 ^/ i- p9 {" J7 {
, T2 J6 u7 L7 p* bMethod 05
- q' \/ O1 {) I9 M& ~% k c9 @=========
|& n7 X/ i4 A/ O% B9 G
+ r9 T" A8 I; w) O% bMethod seeking the 'magic number' 0F386h returned (in ax) by all system1 u- }% r) F$ Z6 C2 K9 ?, a
debugger. It calls the int 41h, function 4Fh.
0 S: F4 e3 [& l9 R: ZThere are several alternatives.
% L4 F9 k6 r" @# b5 b' e; ^% R# Z# g4 B
The following one is the simplest:
$ N; ?( R: o. w( t/ l8 B
* Q1 |7 B3 v5 v mov ax,4fh
( R/ m& C4 j6 C6 `0 @1 n int 41h
% K# P: W5 R; n3 ~$ J8 [ cmp ax, 0F3865 v" [3 l1 S$ q( H
jz SoftICE_detected" S' D% T" ~3 v: e) I$ Q6 k6 [
8 Z9 b6 |4 D+ k# S
* {8 W& D' z7 F" G9 A' I& \0 L
Next method as well as the following one are 2 examples from Stone's
) G7 L5 z* X8 Q+ ^6 a0 L" H9 w% m" I2 N"stn-wid.zip" (www.cracking.net): i& X" d" j. @. p) P' N( L
Q3 j! @/ U/ T v2 }3 j
mov bx, cs
9 n. z& t f( Q: D6 K8 }' }8 O lea dx, int41handler29 O" l) m* j& N) m3 G
xchg dx, es:[41h*4]
8 K# F9 K6 c! p0 U5 d6 [: G xchg bx, es:[41h*4+2]; A" u) o) o& d1 M
mov ax,4fh
- X' ]2 S. H. p int 41h( k5 L& q9 H/ I" B" D$ X
xchg dx, es:[41h*4]
- ` t" Q7 k, W6 u9 p3 S xchg bx, es:[41h*4+2]4 G9 E& F' j; I! c% F( B
cmp ax, 0f386h7 p# I/ G- Z8 x( F5 B+ E1 M
jz SoftICE_detected& c2 T \0 ]+ q8 I: ?% k4 D. n
b' U( h* [; V- L6 e. v4 J
int41handler2 PROC# l3 j. `- }4 O/ p) ~2 F. a
iret
5 c! X( [% X4 Tint41handler2 ENDP. B5 _6 M4 I, W6 m L$ H
6 w& D# M: P. O1 E
9 G+ i5 c& ]1 E_________________________________________________________________________
8 w/ s1 M+ s. P+ A6 ^4 a9 s$ q) d1 q2 L! G" Y g8 P- U' \9 j
* [) X( j, \1 s0 ~
Method 06
2 z3 J& D+ ?, R. {/ h2 e. L=========
5 o6 I7 O8 D: v0 `* |
2 ?% R& D/ j% _7 B. n: n3 r& Q2 t; x
2nd method similar to the preceding one but more difficult to detect:
6 q2 R; E% ]/ X* Q' J- [. I/ b e5 D' w6 B* w+ _ @# v+ m
# g ]; l3 S- E6 ~7 \- I8 uint41handler PROC9 u( a) e. E6 f. P8 e0 F/ j- `) D
mov cl,al) F7 U* a" D* A/ H# S# T0 ]' b0 j
iret+ y; e4 \7 |# x7 ~ y
int41handler ENDP4 j! m7 ~ f w8 c. Q& P* `" f* J% o
+ b: R- v# y2 J8 ~5 B& C6 b* X
' f0 h+ [, A+ j# {- R xor ax,ax
: n: s0 v" @* Q9 r mov es,ax
* H3 ], x% { R( X mov bx, cs
/ N5 ?0 y8 |! w0 Q0 p lea dx, int41handler9 w& Q7 K, b9 u% P! \2 T2 o, z
xchg dx, es:[41h*4]
% p: }0 @2 U$ P xchg bx, es:[41h*4+2]
: ^4 |! c `; G R) L( q( X in al, 40h
% w% b/ q c% m. x4 b. L xor cx,cx
" Q3 s* U' @) h' o9 G f" h# V int 41h5 J/ @$ h/ V- i0 N' T' ~% I" v+ ?
xchg dx, es:[41h*4]
! m1 n# |2 Q; N- ` h- z F xchg bx, es:[41h*4+2]" G8 x3 G! T" o+ Y
cmp cl,al0 b; P$ r/ m% J9 q% |6 j# J7 H
jnz SoftICE_detected
% ~5 N; Y# W* `/ i9 I
/ F2 A( Y; _0 N: \0 r2 t8 Y) n W; ?_________________________________________________________________________
& i8 q. Z5 }0 g4 p6 n1 ]
- f ^. {. i, xMethod 07: Y, v" M+ H; V' w5 l
=========: d& d6 k8 W( n, U
! y4 w; v; w0 J3 V! wMethod of detection of the WinICE handler in the int68h (V86)
; L( g" P1 Q! @. q& n+ X* n
2 o( N& |& F; q9 L% {3 J mov ah,43h
' J# T) |2 ?+ G* ^- M) ~& a) K int 68h. z' @/ D+ q: y* Y& q0 T
cmp ax,0F386h2 y4 I: b+ U7 v) ~
jz SoftICE_Detected/ c) R5 ]$ C( e
- X, \! w6 V, [8 F) k
+ ^. y& r, E2 a# G/ K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. E3 C: B4 l) Y: s8 G. q
app like this:- o& n+ T1 X4 @7 _$ C. [* }
/ t5 O9 B7 m; X7 w- M: z1 k3 `
BPX exec_int if ax==680 F/ d% w* ~! O7 Y- W2 n/ K+ i
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ w# P8 F) F$ n3 z- X, S1 ~+ f& V located at [ebp+48h] for 32Bit apps)
: |5 ], O( ?! k4 r3 ]__________________________________________________________________________
) P+ m" j5 H& H2 W: M5 s
) K4 G, P( P% b1 ^; d2 s9 |; G- T
Method 08. N4 b( S. B2 T7 L
=========& i9 b3 l0 q3 v
! I- o0 X4 M* A: u6 n; k) f! o* J2 WIt is not a method of detection of SoftICE but a possibility to crash the
7 s0 Z3 Q( u( {# J7 Osystem by intercepting int 01h and int 03h and redirecting them to another
3 a! f( v) z2 a' p1 D6 nroutine.
5 C) a8 A1 E( |8 n2 [. TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' z3 R+ a5 t! e# j d8 r% A% A. Y
to the new routine to execute (hangs computer...)
' t2 G6 ?! {/ A- H- z4 V5 m0 U
' V: B7 n" {5 R& ?- B% }, \! `$ M mov ah, 25h
6 j. I7 \( v3 x {' `0 J( N mov al, Int_Number (01h or 03h)" F6 a! s5 S- S3 X+ F8 @# j
mov dx, offset New_Int_Routine
2 g6 j1 W0 E6 H int 21h- Z: [( b$ r- {3 {! y% O3 Y
9 k) B- J' R' _3 F+ j! S' G
__________________________________________________________________________
+ B8 t# J5 ^1 S$ \+ d: m$ j6 J8 ]2 [- V$ R% R" A
Method 09# c- y: u7 C Z6 [
=========% j% M1 C" n7 F
3 x/ u! i3 Z+ ?- A6 ^7 T5 i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 U% t1 h$ [& b5 V. j) P
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 ?% p* K" C; j9 AThe Get_DDB service is used to determine whether or not a VxD is installed, u- y7 g K/ \
for the specified device and returns a Device Description Block (in ecx) for
- X* _; u; i4 C* s9 g0 Gthat device if it is installed.
; ]+ W% a4 V T/ u% S) X! S$ P: N: l' m; I9 q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& P4 T, N* Q" n/ q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 T8 ~: t$ v: p VMMCall Get_DDB
, o/ W1 ~: j/ N! }! o9 p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( y0 R3 Q! |1 ]0 ]3 z
$ r* C: I9 Y& [3 dNote as well that you can easily detect this method with SoftICE:# ]( t s6 y: z' t/ a2 n" v" I; D
bpx Get_DDB if ax==0202 || ax==7a5fh+ k+ C9 V% D7 ]* @: q/ p
@% P c+ P( p; o
__________________________________________________________________________) b* f! T6 t" _6 }# [
8 j: D, ?7 m3 ~: i' VMethod 104 w$ l( x( w' E
=========
$ s! D1 Z" N l- C% \" C( }
) q; Q/ {8 d# a( F=>Disable or clear breakpoints before using this feature. DO NOT trace with0 [. B$ @0 O: Y* i
SoftICE while the option is enable!!! X" d1 E# T) [ L7 D1 x
6 c- Y1 P1 \) B( Z; ]2 I7 y( A5 p
This trick is very efficient:/ J; w$ {6 r9 J) A3 v( `
by checking the Debug Registers, you can detect if SoftICE is loaded
% C% D7 o0 x- Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
l* N+ j0 w/ S4 @8 K- I* p1 ithere are some memory breakpoints set (dr0 to dr3) simply by reading their% I: V. [' n; S. X+ b0 o
value (in ring0 only). Values can be manipulated and or changed as well
% G1 |; M& n! L# ^4 B9 W(clearing BPMs for instance)
, v! B0 _+ {1 H6 J! x1 a. B6 |: m9 [& o) n
__________________________________________________________________________* {. S e K7 e/ t7 Q: U
7 Z) N: {% A7 M2 s4 V
Method 11
% u- p, A; K5 j+ B2 M }=========0 V2 O& x! {2 {9 A
# l2 r$ @$ U* j4 [' f
This method is most known as 'MeltICE' because it has been freely distributed% \6 {' |9 @* v7 D- S! R$ W
via www.winfiles.com. However it was first used by NuMega people to allow
: o3 B& B3 h" b; D( T8 nSymbol Loader to check if SoftICE was active or not (the code is located
9 l1 [* f2 U m" y* M% linside nmtrans.dll).8 W/ t# S2 c9 p& I1 N
8 p. h% O4 w r6 I9 F& R \4 l1 oThe way it works is very simple:
! `' n& X3 Q. U( {/ v% FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 C8 c6 H; g* FWinNT) with the CreateFileA API.1 x" G, M3 d! _
& ~0 A1 j$ l1 @+ n% LHere is a sample (checking for 'SICE'):/ D% l# D, q( B' }$ s+ s' o- a" [
+ a ~" E: q5 s
BOOL IsSoftIce95Loaded()
' P- ?" q' T9 h! ?{$ i, H' P. r; i4 G/ z+ e
HANDLE hFile; 7 P5 L1 l; U' U! k6 `/ w& b- A) g3 S7 j0 R; a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' ^* K* _" y5 L0 S% e0 t FILE_SHARE_READ | FILE_SHARE_WRITE,$ E( l: O/ w6 H! v$ u# w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% {/ u1 t4 X% t: G) \: b# H! Y
if( hFile != INVALID_HANDLE_VALUE )
! w+ M, s6 k1 P U {- ~8 R: `" r; c9 s3 Z3 i% A$ N
CloseHandle(hFile);
1 Z% x0 D6 ~; ~5 }4 s8 ? return TRUE;2 D O4 j6 Y& b( S" Z6 h
}
" K1 E5 B) s) W8 U C1 r* u/ F# `" s return FALSE;
) z6 ]( T2 |) I, K: o+ V% @! J}1 j5 J3 e$ h* W
# r$ G" F$ {- K) O. wAlthough this trick calls the CreateFileA function, don't even expect to be7 Z& P( k2 J, s% h% L( g
able to intercept it by installing a IFS hook: it will not work, no way!
& e1 x1 m/ S8 u4 Q" s: [In fact, after the call to CreateFileA it will get through VWIN32 0x001F, I4 V7 X3 j0 B% Y* T, Y4 C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' v! _& [6 ~& \' p( S3 q* ?5 q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
U" r" x$ z+ ?: B% u5 Hfield.0 }: g% @7 I9 w/ K/ r
In fact, its purpose is not to load/unload VxDs but only to send a : v( `: f7 L5 p+ {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 z" S( [' S# w2 ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) U- F1 e) X, \1 a! R& `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 a! i7 C" H" Z, hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 A+ _6 V: }* `$ n# B5 s5 P. O9 bits handle to be opened and then, will be detected.
4 `! Q# y+ h. T* a5 q+ a9 g; w+ UYou can check that simply by hooking Winice.exe control proc entry point
+ V: k& K6 C0 T" S5 A# S! q6 {! z, W4 Ewhile running MeltICE.
$ U# j! o' v( S* N
" \8 s% G6 G7 y; e$ G( K, h+ I
: ^( y1 j9 T$ r: _. P3 J; Z9 t0 | 00401067: push 00402025 ; \\.\SICE
. f* K- z4 a; P 0040106C: call CreateFileA; z: }9 i% w; y& V
00401071: cmp eax,-001. Q7 K& B0 k5 |& R. E0 m: Q
00401074: je 00401091
+ Q- \1 ~ ?' m ]/ [8 P* M3 z
: Q8 @# d6 i5 C: L" z! d
There could be hundreds of BPX you could use to detect this trick.
+ k" |/ t5 q( C5 [; [8 s" d-The most classical one is:
3 W4 s0 A+ ^! j# l BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# v2 Z! A# s3 M& l3 \ z3 O *(esp->4+4)=='NTIC'
4 g* b: |5 i/ A6 Q! m/ k2 m/ A
& p1 T, ~1 I" M-The most exotic ones (could be very slooooow :-(
4 I. l8 v, z0 |; ^7 ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 \" H+ D, l+ E ;will break 3 times :-(/ B* y7 K* w' H K
+ D- f% ?7 H4 v. b0 O5 K5 J6 ]: w
-or (a bit) faster: * { s1 V* z1 j
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( I7 U/ R% w; v( {; Z
: p) d* ` w% C, U' O& w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' M# I: G7 U7 |6 t1 Z r
;will break 3 times :-(
/ q# v" g: b5 N
% b# h6 ^1 P5 ]7 l. d9 r-Much faster:6 C4 T7 [! Z s9 t% ?/ Q& @" _2 N
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* g' {$ V$ e0 W# h6 R) i! T
6 c) Q. p+ J; ^% E2 s) O8 }7 G9 `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 K$ p! ? e" q Q
function to do the same job:
6 {& ]& ]! h- N& g/ d$ \1 s% R9 Q1 @
push 00 ; OF_READ* l4 W+ r1 V" N* r
mov eax,[00656634] ; '\\.\SICE',0
( L! \( u/ T3 D; t0 z push eax s! B i8 X" c3 \- J
call KERNEL32!_lopen; Y: ^$ \; s/ }3 v
inc eax: N# `1 J( s: k& R. F2 s7 }0 ^
jnz 00650589 ; detected; X' p* k0 f, C) ^( N, j7 }
push 00 ; OF_READ
3 a- |% m& o2 O& _; l- o9 i mov eax,[00656638] ; '\\.\SICE'
* m9 J' U, l- Z6 j8 l6 o2 I: P push eax! s) ?! t1 X) |3 z. g! x
call KERNEL32!_lopen
" K: x. Q8 e6 u+ B6 [( ? _1 X0 F% { inc eax
- r- W# S) e8 \, S' R jz 006505ae ; not detected
9 S7 ?: E L5 ?; k; ~4 A$ I1 z$ A6 j5 n2 l5 t
; W3 [; M& t' M; _
__________________________________________________________________________( P: n% f( N7 L
. L. D, n. V4 m9 l9 d- \! P" Z8 [8 gMethod 12, d6 n: k% \4 Z. ~! f+ H% k5 Z. v% U
=========# q" S+ ^7 q {7 @( z; D% j
5 J3 s; m8 [3 \' s5 qThis trick is similar to int41h/4fh Debugger installation check (code 05' n7 K8 L$ C2 c& ~: ?$ l
& 06) but very limited because it's only available for Win95/98 (not NT)
6 k6 L1 [5 m- X# Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 h4 T, r9 R9 w B. s; D
( @7 B' ?& u0 A8 | push 0000004fh ; function 4fh
, T# r4 k7 K6 Z6 c( P push 002a002ah ; high word specifies which VxD (VWIN32)( L, h2 L# E' m
; low word specifies which service/ g4 ?+ `6 h4 X6 B2 {( F
(VWIN32_Int41Dispatch)% l) ]* |) j7 _2 R
call Kernel32!ORD_001 ; VxdCall
2 ^5 |% w3 n# U$ T2 M cmp ax, 0f386h ; magic number returned by system debuggers' R" Z) f; I$ m* J5 J7 s
jz SoftICE_detected
! _. A8 D4 Q3 ~ Z' d# ^" F' X6 o
Here again, several ways to detect it:
9 h* s" k+ z" m1 x& i# y) L0 C( l* c6 s% G; e3 i/ d+ P
BPINT 41 if ax==4f7 A3 i K5 \5 N, }) i
9 E/ d& \- J4 T; v! {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 ~( T |& {" _* A: X
2 ?' o8 M" e/ X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" p9 X9 _5 s- v7 y: p1 R! B
! p1 _5 j# B+ p4 y3 C3 L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. {0 F3 U1 }% Z
8 @; l. i7 Y: `. Q/ j3 r6 s__________________________________________________________________________. r$ h8 }1 x% s% o$ x4 t2 T9 ]0 ?
; w D1 m7 k5 u- G, k5 |
Method 13 t0 A, u S+ z7 m5 W* e
=========
* ?- Z D% X( ^, x+ u6 H7 ^
; ]1 w% }! T5 E L bNot a real method of detection, but a good way to know if SoftICE is
. x# x1 k# W& c* |+ Q: linstalled on a computer and to locate its installation directory.. W& t& U0 B4 L5 |6 @/ u
It is used by few softs which access the following registry keys (usually #2) :; f @% W5 f# [ Q. C& e5 C* J6 O
& L! K& D9 V) b' j- S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* ^3 {9 |$ b# ?, s\Uninstall\SoftICE
4 Z9 e! Y1 @6 ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ q4 A' k) A3 i' P7 w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) F) o0 ~4 y. P3 m9 d; y8 _\App Paths\Loader32.Exe; A7 D$ d" l' Q; L) B
: p- J, Q5 l: G) M2 |) S0 P3 ?+ }. I' |4 A' C4 m
Note that some nasty apps could then erase all files from SoftICE directory1 I# v B: Z f* Y: F
(I faced that once :-(
& L3 |& U' G+ J& \, l/ @8 E6 ~, D
1 z: T- c2 Z% DUseful breakpoint to detect it:
5 h! J, D7 F2 z, Q. ]& N g; d8 j& b0 G# j+ e, y; d, \( O/ x0 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ D& D. w8 _0 L$ O2 ?9 J- n) A' Z1 V# Z6 w" ~ V& M: C. O
__________________________________________________________________________
2 ]) ^4 c0 A' y# k# o
, P% y2 |9 a! ?1 Z. S7 [* x7 K e6 }+ r; f
Method 14 5 j1 y" W/ q) v, F. X. L" S! b
=========( B, a; t4 {/ F9 y V$ Q
# a+ H! q) q6 [# }! t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; u0 ]$ ?2 p6 x# G7 N4 ois to determines whether a debugger is running on your system (ring0 only).4 y% e! |$ C2 D
9 `# G0 }3 |: N3 I/ W# y VMMCall Test_Debug_Installed
- t5 s1 @/ n9 V4 Z- J je not_installed
) N0 O5 s# u, T- E! Y r2 T
! C4 |9 c! z6 D2 M- `This service just checks a flag.
# k& D, ^" o2 D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡