<TABLE width=500>
+ t( j" O6 P3 Q5 H2 L, d) j<TBODY>7 T9 w2 P6 L6 J1 e$ ]
<TR>
0 L; }/ C6 M' |' e0 H<TD><PRE>Method 01 7 u7 I/ B# O( J+ {% i% `0 H8 e
=========1 S2 m V+ p1 \& M# T. |% A1 _
9 `" A$ A) s3 h- E7 G: M
This method of detection of SoftICE (as well as the following one) is, k7 q) ?1 _2 c: H/ G
used by the majority of packers/encryptors found on Internet., P) n {" A+ Z+ B2 q$ `( ?0 s
It seeks the signature of BoundsChecker in SoftICE
4 l/ {& o0 g, L# I3 l* F: Q' v' M& \; k; Q" a! n7 |, b
mov ebp, 04243484Bh ; 'BCHK'* n+ M* v- z6 N
mov ax, 04h
) [" X# ? A* {5 e1 Q int 3
/ `0 D3 {. F$ n cmp al,4
8 W5 H8 C# h1 x& L jnz SoftICE_Detected
4 a; ^# h% P3 n1 S2 N3 G3 o5 ^4 l4 f
___________________________________________________________________________( H* O$ X8 B+ m$ C
. c& j2 W2 V6 {( o% M; J r- z, V. x* RMethod 02
# K: V3 a5 p# x) x ^=========- }: B: \9 G, K/ Q/ @. E% T
3 \' ^% |) ^# u! r5 k3 X o% m
Still a method very much used (perhaps the most frequent one). It is used6 l0 S' V, }. f$ D+ n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. X, Z* N* j e8 ^or execute SoftICE commands...
+ v c1 V3 t$ O) o2 B1 W" i6 kIt is also used to crash SoftICE and to force it to execute any commands
! q$ D* m' [9 U5 x8 \(HBOOT...) :-((
" W C- ^( t3 h2 v2 T; Q5 a, ^* A' M# b% v6 \# |( v/ N4 e
Here is a quick description:
h& w; H" F9 N% K0 o5 B-AX = 0910h (Display string in SIce windows)
% m& I0 G8 p9 U4 O' h2 R2 i3 `* z D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' h% j4 V: T! H! ^- {5 q' i2 C-AX = 0912h (Get breakpoint infos): k# B5 C" E2 |* u
-AX = 0913h (Set Sice breakpoints)/ a' j. p/ q( o3 c( i/ j
-AX = 0914h (Remove SIce breakoints)
: d4 I# u% m5 A. B( g
/ a8 x x- y i8 n% t' d" x, REach time you'll meet this trick, you'll see:
5 e% K$ h& u' t6 h+ f$ k-SI = 4647h
3 l" M+ W; V+ F-DI = 4A4Dh
- `/ N0 P5 d: @- c* H1 qWhich are the 'magic values' used by SoftIce.# ?) ?! I4 E& g. x
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: d& Z& P, W. G- e/ W% O' p8 z5 E6 ^
% t9 @0 k& J5 A( \- @
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" C4 J& {5 A/ q% FEnvelope utility use to protect DOS applications:
- F/ Y1 w2 n; J" l( V9 x. q) h& T! R: u
4 i, b" j' D C3 p1 l
4C19:0095 MOV AX,0911 ; execute command.0 F& e+ |% }2 E2 o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ r7 O9 T% a7 \ s7 j4C19:009A MOV SI,4647 ; 1st magic value.: N- U8 b i1 R7 q0 \
4C19:009D MOV DI,4A4D ; 2nd magic value.
) l6 z- K1 }$ v4 {4 b5 D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' |/ G8 Q1 m4 W. P; p c4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" ]( ^% s# S" `7 G: W1 F
4C19:00A4 INC CX
7 g4 T, [" N* B+ x9 |4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ b7 n: t, S' }: H& H0 i! y. {) D
4C19:00A8 JB 0095 ; 6 different commands.
. s5 T9 T" a, B: d) a- V4C19:00AA JMP 0002 ; Bad_Guy jmp back.& l4 N' U# ]& b" l0 ]8 ?$ ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' D; |) e) B, h# p
* l! u% P* w# ?# XThe program will execute 6 different SIce commands located at ds:dx, which
2 {8 C' e4 ?5 c3 w. c; Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ }6 W% N5 h' @8 y6 C! [
5 u% X0 v7 n; I7 X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ o: T+ @! ?- {1 l2 i___________________________________________________________________________
; y; O1 J4 d4 a# p8 A! W3 u+ P) b% R$ o9 L: r
1 c% }0 X- F0 y6 c3 A* [: {1 z
Method 030 Y0 Y3 @; M7 N7 C- W
=========4 ?, |9 A$ x1 z+ o( F
5 n E! N, e L. d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' c/ i/ b9 @6 Y, b
(API Get entry point)4 g0 l2 M# o" ^
6 e2 V2 |+ r9 U3 e/ Z4 M/ F: k1 p: `+ ]0 _; x8 z/ D- ^) G" |
xor di,di
( ?, t) ]+ t1 y" `: ~6 G- f$ P mov es,di- y& k7 q _: _. t
mov ax, 1684h
6 _! Q( H+ \ b- ^& m mov bx, 0202h ; VxD ID of winice
3 j0 |3 ~# X* N int 2Fh+ q$ e5 b( S o# @5 v$ r! I. K
mov ax, es ; ES:DI -> VxD API entry point
! @/ E3 w7 u; c9 d3 K! d4 [" r; I add ax, di% ]0 B1 ^3 g$ x) O# Q% a
test ax,ax4 ^& Z- ~2 g5 p6 m6 n& w
jnz SoftICE_Detected
+ D! b+ K$ d# i, Y
: J' ?0 y( h; h$ d% g. M( j" x& v___________________________________________________________________________
y1 Y7 H; e8 T, M; o& i
- S# g( Q }; k& E* L% ]6 IMethod 043 w6 a8 V5 b0 |* I
=========
& H" d$ z. v- z. E5 i2 S1 n& M o! P/ u! o* G& c0 R0 b2 z" P
Method identical to the preceding one except that it seeks the ID of SoftICE
3 j" \2 g/ e% [' d4 y# _GFX VxD.5 A1 M! S% x& A# `
- Y' c& t5 ~/ D5 i' e( W, Q xor di,di
5 }+ b3 g6 T2 o2 ~ mov es,di3 H" i: @' i3 C$ q2 ?! ]
mov ax, 1684h " s; Z) X9 n% c/ }: f
mov bx, 7a5Fh ; VxD ID of SIWVID5 k3 ?8 u0 L: r( q0 F' ?) v e
int 2fh
1 s, b' _- |& ~5 r& @ mov ax, es ; ES:DI -> VxD API entry point
; F8 X/ o4 C2 |% f8 f6 | add ax, di: z! J: F; u e6 [1 E
test ax,ax! L, J2 A+ c+ S- g3 {
jnz SoftICE_Detected
8 i4 a1 j# V3 `; a f/ `# X; N+ l! C% D, I. o9 o l+ C
__________________________________________________________________________
3 Q+ k" ]3 q w( l* ?. y" b% @( }; i: I
3 A: u, e9 f2 a
Method 05& a B$ O0 u p+ ?% \8 {- D6 B( X
=========
1 J+ H7 C/ v( ~* ?2 J/ k, G2 f7 O* ?/ y ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; p. i8 Z A! t4 }debugger. It calls the int 41h, function 4Fh.
7 w% ]4 y0 @, N( T' O' uThere are several alternatives. 4 N; E' }' Y, O/ N
/ F7 Q% {) S" y, u& V; _# {0 b. y& p
The following one is the simplest:
7 w% `/ S: g8 v: M1 O4 b; X) x$ R6 c1 c
7 F# u6 Q B A2 N+ g: V) Y) c! V mov ax,4fh
9 k, P6 _8 [. a( w+ F. P; }7 h int 41h
" E+ B/ x- T. V% V( _3 d cmp ax, 0F386" k7 M! j7 n/ Y
jz SoftICE_detected- u( [' \ J" H0 o; {
6 ?9 U3 U' [" G" z% Q: ~; N
5 l2 T6 ]2 Y; w3 P
Next method as well as the following one are 2 examples from Stone's 1 P, U7 Z; U1 r3 ^
"stn-wid.zip" (www.cracking.net):
, _3 P, T4 G4 h) O: T/ f4 O, O
; A- c/ o# g) `9 s5 e mov bx, cs+ n |+ M3 F b6 w* s; t) q
lea dx, int41handler2# C2 ~2 ]$ Q3 C0 E) O4 O* e
xchg dx, es:[41h*4]; A: Q# D9 t N4 ^
xchg bx, es:[41h*4+2]
# Z. v; z7 S7 v( H! [! ~! h mov ax,4fh
4 K" }, ] N/ [/ F- g% W int 41h
8 o; D1 p, B4 b' G xchg dx, es:[41h*4]3 g* S% a- t7 P7 S
xchg bx, es:[41h*4+2]
2 Z, i, K) r4 E: x4 k1 g cmp ax, 0f386h
" x* U7 E/ t0 R1 a$ R jz SoftICE_detected( b- o7 j& d6 S( G
Q* O: P( U' A$ f3 Vint41handler2 PROC
3 k( U; B/ I5 p O$ v% t iret9 m5 D1 Y- @1 Q# y
int41handler2 ENDP
2 _* q" v. X' b: z; c% M: j
& r+ L* E+ Y3 j$ F
L) ?# w0 H4 J& ~_________________________________________________________________________
5 L* y) J& B3 @; P% z4 C! U5 I( @& e5 O2 d) ]" x' ?# X
! y T# n# w3 N% w, @6 Y9 O( H
Method 06
! X9 ~ ~& A6 E4 [$ h=========/ H, s' U W* [7 R& ^0 W
4 ^1 K( B7 r+ J" A' F4 P
: I/ r" V& u; F2nd method similar to the preceding one but more difficult to detect:- N# d N; c) V3 E$ v4 M
4 g- K* \& M$ x* C' }* ?* f: s
- p9 B6 ^- A. o; i- o8 ~6 D
int41handler PROC6 @. \% ]9 h; B! L5 d' O, D# O( _
mov cl,al
$ K0 u3 V5 x! i iret% ^, c. `& G! B2 [4 t0 c
int41handler ENDP
/ L6 N1 h3 j+ }- d: U& C2 Q
) J. I) |2 h0 X) A8 J4 Y+ u
* M% Y7 ^* S$ \+ n' o' i xor ax,ax2 N4 {% r, p9 `, \
mov es,ax% u1 z2 y1 ^- j7 y% X
mov bx, cs/ B {5 M7 s5 J0 j1 V1 ~, c1 v( o
lea dx, int41handler3 ^" ^3 m L$ j# A& s" s8 W- r
xchg dx, es:[41h*4]# U5 b5 ~+ V: k# N9 ^- h! ]* H
xchg bx, es:[41h*4+2]
+ y( Q0 m4 R& C( N, M/ n( ~ in al, 40h
+ ~9 j. H! m( u! F xor cx,cx/ J% z- T, {, p
int 41h0 ]2 n+ S. v4 w- `+ C
xchg dx, es:[41h*4]4 U5 z j* \8 ^% }3 _
xchg bx, es:[41h*4+2]
5 u' u r. h4 \$ f9 z" q cmp cl,al
$ K/ m5 N% b7 u) ?. w2 n. T jnz SoftICE_detected3 U1 i4 \4 M8 ?5 F( Z1 i) W
4 `9 G' v. _- F' o5 T_________________________________________________________________________, q) h* M) R0 u0 v
9 {2 c) K! W1 v2 g' i, Z4 J- g- @! b! `
Method 072 H9 @: \, ?( G7 q; c
=========4 d& u! `" X$ I! S
, K6 Y( X' G+ T* p* ?+ a# O# K
Method of detection of the WinICE handler in the int68h (V86)% h- z" q$ `7 f1 w5 t% `3 G
, x$ w' ]( `7 _ mov ah,43h
5 w: z% b* M/ h) c int 68h
, u" J$ Z9 b/ t8 V. ] cmp ax,0F386h: I, z! A1 }2 t8 F# [! `
jz SoftICE_Detected) f) @6 _( t- S* h( _2 D% ^. ^
b( }* G; K, i* ^% i; i
5 t0 V+ `3 K% ^/ R6 i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' L! H/ e$ L3 c app like this:
8 ]' Z. G: g3 q, W4 ^. L) r h0 A- [/ I! W
BPX exec_int if ax==68+ A1 s8 j9 w. J, A4 w0 N- S
(function called is located at byte ptr [ebp+1Dh] and client eip is6 M! s" O% V0 z, F( d! }; g9 G
located at [ebp+48h] for 32Bit apps)% |$ S2 m4 G3 ]3 w0 ?1 @
__________________________________________________________________________4 `1 `8 ?1 u# Z# w
/ M# J7 r( P; k/ j: x8 [. }1 n
7 l1 X6 b3 j+ a( D8 b5 w+ aMethod 08
/ }5 S% H! N. g' g- j' w: M=========( ^3 @* e% k' C: V( P
- F) k# s; S1 M1 W: E& z! T" L/ {7 ]
It is not a method of detection of SoftICE but a possibility to crash the
% q4 }7 a' I. [: F* {0 osystem by intercepting int 01h and int 03h and redirecting them to another& ` c, j( r* B/ H e4 C7 g
routine.4 Z+ J" n; H A/ D5 c9 Y( ^" e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 ~+ G% V e3 b0 pto the new routine to execute (hangs computer...)
) o. W, y! G. _- f& a' V' N9 ?( ]4 }" g! I! g9 U
mov ah, 25h
. U! G8 s U; l' T% J mov al, Int_Number (01h or 03h)
' f6 B! T2 X: W" I/ g2 g. E3 K mov dx, offset New_Int_Routine
- j7 F4 |2 ?( Z3 e6 ^5 a/ a int 21h5 Z% M: e' G/ C
3 T& d8 o, n: x% U- b# a( r
__________________________________________________________________________$ x' t4 ]2 M0 @% a+ ~) P X
1 `0 m4 @+ p5 [ m0 N9 @1 PMethod 09 K, M7 \ t6 a- j2 ?9 ~
=========$ I5 v1 R* ]0 ]" S' I& d$ P1 M6 U
% g" { N* K$ G% gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 n0 z" v9 t8 R; Z) z( O e
performed in ring0 (VxD or a ring3 app using the VxdCall).
2 M/ E9 a0 i7 Q8 D) sThe Get_DDB service is used to determine whether or not a VxD is installed
8 y1 H) e9 `' ^7 E" W' c6 mfor the specified device and returns a Device Description Block (in ecx) for
* U( W3 k/ u5 O. i, @1 bthat device if it is installed.& x! P& _/ m2 C& \7 j" y
7 ?7 s; X5 t; d7 {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ t4 r- F: q P: t: \% T
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' v, r9 @, ~/ O6 \4 R
VMMCall Get_DDB; O4 o6 q% @, _1 Y6 J+ }. b. [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: y* ^# j5 \' a; K3 o
2 j( B \4 J0 {% S; I. ~$ B
Note as well that you can easily detect this method with SoftICE:. M- C' I# A) m
bpx Get_DDB if ax==0202 || ax==7a5fh# M9 q3 v9 n7 `! _. v
0 w7 K# Y5 K2 P9 D% l3 j2 A* ]
__________________________________________________________________________& S% H0 S" z- q
' J, h' x9 q1 p5 ^9 n! O2 f9 D$ KMethod 10
8 C0 N( O* v# d* I. U8 o; J=========# g0 d" ~1 O- k/ E4 X
9 r& o" q, ^0 X0 w4 A" i3 p0 Y=>Disable or clear breakpoints before using this feature. DO NOT trace with4 R; j# s3 q' A1 u
SoftICE while the option is enable!!$ U/ n! D9 ?1 S m: ^
4 i! d7 d" W# d1 O
This trick is very efficient:2 s) b/ w/ S6 V/ o
by checking the Debug Registers, you can detect if SoftICE is loaded
; V7 u! n6 c; q% r(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; B( t+ E" }" D9 f j
there are some memory breakpoints set (dr0 to dr3) simply by reading their( d: ~5 C. _3 [8 |* W# W% F, T
value (in ring0 only). Values can be manipulated and or changed as well" Y8 F0 d6 V1 S v
(clearing BPMs for instance)
; W' l6 t( ?2 o7 m6 h n2 b& z/ U
__________________________________________________________________________% ^) `/ T! Q8 o6 L; B- }
% w7 i, {/ @0 R3 r2 z, P9 u& J6 DMethod 11& {/ s+ j+ |5 N+ e: }# f8 }8 ]
=========
9 n0 O- D5 U. r7 M4 z: |
% b, }. U2 y! L- ^ p3 ?8 qThis method is most known as 'MeltICE' because it has been freely distributed9 S# Q. _$ G5 F2 i8 _ w+ K
via www.winfiles.com. However it was first used by NuMega people to allow- E* L( |; I o/ @0 r. t$ C( z* W
Symbol Loader to check if SoftICE was active or not (the code is located
6 M. {0 p7 T+ p3 l0 O( m, ~inside nmtrans.dll).& j3 X5 Q0 U' r2 J4 O1 d
! h. j. n, q. n+ I/ z- [( H
The way it works is very simple:
- B: e9 P. C3 z5 wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' H" J! ?3 y) hWinNT) with the CreateFileA API.& N/ D: Z) g! K% R* m% ~
; o% Z- W' p9 Z$ g# {Here is a sample (checking for 'SICE'):2 P8 M" v* b% k1 f0 A: P$ I
* P: j$ n8 h Q% H T
BOOL IsSoftIce95Loaded(), t4 T; S, B: g) F, ]+ J0 x0 }
{! p, [0 b4 m9 N. k+ r
HANDLE hFile;
) B8 H$ s$ U6 x9 N6 I8 }3 J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 m1 p/ \! j! r3 {8 o FILE_SHARE_READ | FILE_SHARE_WRITE,2 W0 M! \2 r; a6 ~& ]/ [4 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 U4 h2 D3 N3 F2 A' r if( hFile != INVALID_HANDLE_VALUE )
+ ~- i" F2 h$ A* u H3 y ^- m7 v {
7 A, C2 ^( L9 F! Z+ w8 p CloseHandle(hFile);
) y3 ]3 ?- P) d. A return TRUE;1 [; {# F! \& Y! \: c2 S: _* T
}8 d- b; `/ q# m+ [ h% x5 _- U& c
return FALSE;# k7 `: B' _$ u; W
}
0 ~9 H2 L) [' d8 n2 A7 J9 `2 S! v- v
3 z! s# d6 `# @3 o& bAlthough this trick calls the CreateFileA function, don't even expect to be
' X" H2 C3 [+ I, Yable to intercept it by installing a IFS hook: it will not work, no way!
. l" a5 p! i, c3 }. C* r# ]9 rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& s, {' s! y6 d+ h, l! Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& A. N1 E! M" X: vand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 Z$ D4 f+ V0 L2 N
field.
2 w2 i8 q* E8 s5 X' u( _In fact, its purpose is not to load/unload VxDs but only to send a
( {( k* r) i5 i9 C- q" S0 R& {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. A" w6 l% R4 jto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 w# ` s$ e, F! y& Z1 x G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% r/ d! q2 s) q$ [, o
If the VxD is loaded, it will always clear eax and the Carry flag to allow, A4 `( c+ x: W4 _8 c$ ]
its handle to be opened and then, will be detected.8 f6 [; @( Y% i, }: E( U/ z
You can check that simply by hooking Winice.exe control proc entry point" J( R7 q% \- @
while running MeltICE.
: H% c4 h/ x! V% r0 f8 s' X8 ^4 \- v5 ]. `
5 J, t( L2 G$ @5 u0 w. I 00401067: push 00402025 ; \\.\SICE
. |3 X4 C$ c- t3 f 0040106C: call CreateFileA) u8 G$ v' m9 ]/ |3 k
00401071: cmp eax,-001$ d9 `- H& p8 @: u7 ?
00401074: je 004010918 J# h9 W- j! x1 t) L: R
2 E: D5 U3 N- i+ v4 N+ V4 ]3 W2 b
+ ~1 q% h' ~. h. R$ qThere could be hundreds of BPX you could use to detect this trick.
. l# R5 f C# U; B9 U-The most classical one is:
; e& n* f& n# G/ \' |3 V8 \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! v ?5 `9 K0 B# i j( l, \5 h4 p *(esp->4+4)=='NTIC'
4 f, c- Y( z0 o& F- f8 }6 j, Z0 K" r1 ?+ l, n; o% M
-The most exotic ones (could be very slooooow :-(4 S' R7 B3 k9 N7 e# B' C
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # X" G7 ?9 ~' E1 W! u0 R
;will break 3 times :-(6 S5 ^) {( R0 B5 F
# c0 X2 \- Z- p0 q8 Q6 ?1 y+ v
-or (a bit) faster: 8 B1 t; o9 N' X& x2 r6 `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* _0 C" q' e$ @2 e+ j A, }
3 o* f" |/ {" e# M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. T2 c2 y4 u6 Z: S; _% l! F$ K ;will break 3 times :-(( |+ ]% V$ D6 q( |! K) N. P
( W3 R' D' T. W# \. U) s
-Much faster:7 q0 X9 t: l" Y- I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% _5 }( r& Q: o1 a3 `8 K7 J$ p& n% u% ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( A: W' G& Y3 u+ n
function to do the same job:
z6 R' Z( R0 T' ^& d* R/ ]9 `% c: ]
push 00 ; OF_READ% t2 c5 J- A7 Y/ x
mov eax,[00656634] ; '\\.\SICE',0
# j- z0 c9 ^1 _7 d, U push eax* N/ h! Q" @* w( M. @& Y) f6 P/ y
call KERNEL32!_lopen* r6 I) p9 m$ {* \4 E
inc eax0 O% v" P5 U5 e0 O2 k
jnz 00650589 ; detected
' f! B9 L$ w# v/ J/ W( P/ E push 00 ; OF_READ
" O/ v$ x8 Z3 [ mov eax,[00656638] ; '\\.\SICE'
( V/ E. J* [! i; y/ @% T' Z push eax9 B. P" O% w% n/ R3 h/ l
call KERNEL32!_lopen' V* m" K( V# p+ w& {1 S
inc eax
- D8 {0 ]1 i8 t) p) X! k' ~: ~ jz 006505ae ; not detected
6 S- I3 E; l7 ], L3 X' \" U6 V/ W& ^4 {
/ J" V9 M+ }2 i( `( T9 I9 o/ G__________________________________________________________________________4 @ n; M; H* f* A; r
* L1 b5 g2 _7 c+ e% J; r. J; F& g$ GMethod 12& P3 a$ ^% U3 ?
=========
) u9 H$ {9 r$ N1 g9 B; B- D% ?7 c6 |+ i$ M) k6 A
This trick is similar to int41h/4fh Debugger installation check (code 05
4 t _+ f$ C- X5 d) F2 K. P9 K& 06) but very limited because it's only available for Win95/98 (not NT)/ H7 N3 l! n% b; `6 a0 I( r+ @9 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 `/ C1 R3 x1 b- L- x
* Y! e/ B( l7 E, w+ w) K; h2 w push 0000004fh ; function 4fh$ G" ?1 ^; X& B# H6 t
push 002a002ah ; high word specifies which VxD (VWIN32)' o% f" |( m3 q F# X
; low word specifies which service( K" p; i5 ]0 O1 S6 e4 E
(VWIN32_Int41Dispatch)
7 p# U' ?1 u4 ]% L call Kernel32!ORD_001 ; VxdCall5 j2 W% J, K$ L9 d) e
cmp ax, 0f386h ; magic number returned by system debuggers2 e$ E4 ]) R! S/ e
jz SoftICE_detected
0 ~& u* u$ W: ~: @6 R$ o s1 r1 L4 ?9 |3 r- t( U
Here again, several ways to detect it:& T* n' ^- v5 I! Q% I# W8 u
9 d. M9 \5 A7 M' y9 |+ ]% ~( j, k1 W
BPINT 41 if ax==4f
8 t. V' u" f' P( S& W* X% M9 W+ v6 B% `) o6 v7 {1 V7 n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( B" Q! N: h1 k( g) n M' V0 _, J
9 m0 [8 z0 I% t0 }; T7 K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; a9 M7 T1 J) z. A
8 A! p! m# C0 l& e% d9 l/ Y7 j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& W8 M/ x% L4 o5 m: @
+ `! B2 y n A' Q( @
__________________________________________________________________________ s" b/ ?0 j# [! c( f- Q; q. y
: P2 ~$ E8 f% x L. H2 E kMethod 13# N; T) L+ W9 A" t
=========, Y& u2 k3 _+ d) I
0 A! {2 G: P! N: i% K; I* H7 I K
Not a real method of detection, but a good way to know if SoftICE is' x" p) x# S6 z, ?8 m
installed on a computer and to locate its installation directory.
7 S8 N, [2 z7 Y% K! v m" U9 jIt is used by few softs which access the following registry keys (usually #2) :* D+ }% F& I- l4 x# X) L1 K
- t6 m% O1 x$ `4 {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- B- a ~( z1 o: f" q
\Uninstall\SoftICE7 M2 A, H& L) E7 J) ?8 X% Q4 T6 [
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 F7 V @' Y3 E7 W7 o7 F" W; R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 Y f$ l3 `* s* ]/ F- l2 F\App Paths\Loader32.Exe
' D& K& F9 N& |! l4 I
8 q" j" M" L# }# k; e8 m& O" \1 p! E, z' u
Note that some nasty apps could then erase all files from SoftICE directory* ]8 ~; K- P% V4 M" E1 U; o
(I faced that once :-(
, a+ p6 E' X6 R2 u+ o1 w5 p7 U
4 l3 s5 H. o7 I7 C# Q1 qUseful breakpoint to detect it:
, D5 U/ j ?2 p2 \, z6 P2 U0 \1 g: E* c
( l4 d' m9 v/ ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( k& y' T: s' l; p+ L1 Y9 I' [6 I7 h2 e- X% Y5 }
__________________________________________________________________________* q j" b0 t9 M" f& v! W
1 A B4 q# u7 k/ R }
; j) E1 I; ]0 D1 K+ _: W! c. AMethod 14 - {2 B% ]5 i; {2 D- x/ X$ U
=========2 a# C; r: |) s2 p# N, p
. ^! [9 \. l5 y- L' y C1 PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. U& r' {6 o, ~2 T! t i z
is to determines whether a debugger is running on your system (ring0 only).9 P+ X! D& V$ b5 Y; l5 t
0 ~# W2 W% a* \) n; i VMMCall Test_Debug_Installed
1 j% F7 `- k8 e. l( x je not_installed
) S5 D9 H M; k" @% H/ } Q' Q
) L' Z' g( O; {% v9 @% R0 fThis service just checks a flag.
8 B$ M3 |) G' m' Y G$ P8 r$ y; v; q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡