<TABLE width=500>
% v' V# m: t9 F$ o( {% x<TBODY>
0 ~7 i% l/ k5 h/ B8 j1 b! K<TR>
4 D; h/ i0 E3 Z; x<TD><PRE>Method 01
/ k5 N- M2 ?$ n d2 N=========
* A/ w. l1 E$ r& G, r, D1 Q$ x% Z) j- B; w7 b, d. ^ w! a5 `, S
This method of detection of SoftICE (as well as the following one) is" y( W1 A: r2 m/ S
used by the majority of packers/encryptors found on Internet.9 @2 a5 N; d% L5 i2 f# v
It seeks the signature of BoundsChecker in SoftICE6 u j# [2 a$ \- l7 a; f
1 Y; `* d1 i" N6 @ mov ebp, 04243484Bh ; 'BCHK'
0 k7 s s4 ~0 O+ { mov ax, 04h5 F n; R& ~2 s! x' e0 L9 y
int 3
3 }; g* u6 T% n v: V cmp al,4! v/ O* X0 q) P" r
jnz SoftICE_Detected2 n! |7 ~7 ]' C2 L; W
' W3 {$ g+ ^: y6 G z e3 w
___________________________________________________________________________$ I% a! R+ _: Q4 B
; G( g4 J' p* w" p3 A( c; yMethod 02
* e3 {0 t- F% B=========
0 I: C9 J0 ?+ H! E) C. _
& m' I+ C9 v6 T+ b. N2 u" qStill a method very much used (perhaps the most frequent one). It is used5 b3 k% k# J" d b8 p$ \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 c0 D" F% y3 M# F
or execute SoftICE commands...; M2 ]% U2 p, a" K' [0 g; I/ L
It is also used to crash SoftICE and to force it to execute any commands
8 j+ O" Z% x% o% j" t(HBOOT...) :-((
6 u' h* p3 p8 K0 x
1 u0 U3 \6 w7 y mHere is a quick description:2 |: Q' K1 _- G& d
-AX = 0910h (Display string in SIce windows)
2 F6 b" \% Y7 ?) E-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# g4 Q A9 `/ h4 I9 s, }6 g
-AX = 0912h (Get breakpoint infos)
' D& {2 {. F3 R4 N; t7 E-AX = 0913h (Set Sice breakpoints)2 g T- j4 x! |: ]
-AX = 0914h (Remove SIce breakoints)
9 B# {( g$ H7 p" d( t
- g. j( `5 t1 ]% _' rEach time you'll meet this trick, you'll see:
) M5 o5 w3 g# o. r, G-SI = 4647h0 m4 S* j. R; f
-DI = 4A4Dh. t, L4 k" _) \) ~# z
Which are the 'magic values' used by SoftIce.
$ |( g" a* d. ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 z& `" H5 E' r5 D" k; U4 E* ^
: f$ w6 h. e3 r. T% w3 w2 F% UHere is one example from the file "Haspinst.exe" which is the dongle HASP- Z+ T# B- K9 a7 j8 C
Envelope utility use to protect DOS applications:) q0 g9 K9 M. P* V
. }2 V$ w1 w: F+ ]* v
0 R! t4 F$ [0 F: ?# k4 M1 k0 W4C19:0095 MOV AX,0911 ; execute command.7 L; ~, M! w, T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 k4 C: X, p& ?1 N) E% C
4C19:009A MOV SI,4647 ; 1st magic value.0 t! U3 j7 P6 a- z6 ?% N4 Y
4C19:009D MOV DI,4A4D ; 2nd magic value.
) ~, ]& V% Y6 \7 u# S4 C" m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! R5 x" p- ]7 U7 U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, C6 b; [. b/ r7 [4 `
4C19:00A4 INC CX" U- Q9 c1 I- S2 o; N* Q( E$ e( {# @* [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ l% v: i& \. [# m- w
4C19:00A8 JB 0095 ; 6 different commands.
6 T- G# g' J+ \7 o4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 }: U. \% v& h3 y" X" H3 ^' i* }4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ K' h! c. v& g+ L5 H0 H6 P9 n
% j- w* N' q- g
The program will execute 6 different SIce commands located at ds:dx, which
$ n% I* T' f! z' O& vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 r( O K1 e; I7 y7 H6 z
+ R. Z1 ^3 n" C4 l9 M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: P9 I2 K9 h- q
___________________________________________________________________________
, n. l% u5 \6 I% o6 b/ S# Y; e/ _
9 W) q. W' @! h p* [; M
Method 03
\" Z3 b8 @3 `( r9 W+ D0 K# H=========/ B9 a# d2 v) H) b( `. R
( P/ h2 O. r0 e1 X' g/ h' c0 c$ eLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 G; R2 R/ J. E e(API Get entry point)8 a* N& h1 _8 G3 J+ d+ Q: ]/ Q
9 P. j& N( C Y5 J) E
, C( [3 K( E0 O; P# \ y! ?& m& G9 b
xor di,di& u* Q* F4 y r. O
mov es,di0 ^9 V1 i4 C U' n
mov ax, 1684h
. Q/ S# ^5 I/ w9 E2 ^ mov bx, 0202h ; VxD ID of winice @ y" E2 N& e1 A: g* ~1 z1 n
int 2Fh
& C0 U4 p6 [* `4 s, i mov ax, es ; ES:DI -> VxD API entry point
; V( ]3 k- ?* g$ J add ax, di
6 z: Q! N3 B1 c7 n! }3 @ B4 R test ax,ax, u6 u4 c! n: n! ^; U
jnz SoftICE_Detected" n: c- l' u6 A' n# C4 c Y* e
6 l) t% s( j" C) i5 {2 u1 z
___________________________________________________________________________3 U' e2 l$ I5 d$ }- ~, g, P0 X" X
8 \4 i2 i9 T( t- G' o8 U% J/ xMethod 04
: F7 N% T3 y4 w s5 ?% H=========
7 U' v6 N8 h+ k0 U: o8 u7 t3 Y( A! T
Method identical to the preceding one except that it seeks the ID of SoftICE2 O4 C/ f, w3 Y- _ |( _
GFX VxD.
3 O. R0 J! k& Z1 v( \7 n @! i0 K1 z1 s3 E9 [! h- N8 g- B& v
xor di,di
; D" w2 ]; w* h; m W2 J mov es,di; B% V+ Q% n1 _& }! V z* |' n
mov ax, 1684h N0 T& i8 A& e, [: a( _
mov bx, 7a5Fh ; VxD ID of SIWVID( B3 J9 u) Q% R9 c& h4 v
int 2fh
! ]' c$ e- p7 y2 `, A mov ax, es ; ES:DI -> VxD API entry point5 ^9 _; }+ H* }# n2 n7 q
add ax, di( N. C) i% q% _) }, |* t1 f
test ax,ax/ O# ~' R% _ h) D& M; Z
jnz SoftICE_Detected2 W1 L. u: ?- d- r2 M( r# H
' A& _5 V+ e0 k0 ^
__________________________________________________________________________ Y! I- a, |7 M2 k/ [
+ D) X: ]. l" Q, y) c+ i$ @4 e/ r" U; s6 N4 E5 y4 X; k* W A
Method 05
2 a8 B/ D0 f2 b a. F=========; \6 N1 W+ j, l: p: G( o, k' j" ~
. R9 p8 ?% a* E
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 {4 E3 m5 W3 P4 ndebugger. It calls the int 41h, function 4Fh.
6 x8 n: w3 I5 a& e$ {* p, Y/ O; KThere are several alternatives. 3 y$ g# \4 x q# [8 b
' [# z2 v0 k( N* x8 e; M
The following one is the simplest:
5 U" K% A1 N/ {+ s+ u. j$ l$ o5 ~1 |5 K( T% k3 Y! Q0 P, l
mov ax,4fh. K" E M. N, D- v6 O' W& w3 l
int 41h0 o/ [$ e# `) ~) f1 C" r
cmp ax, 0F386* }% \% h2 v7 ~/ U$ X6 A5 {
jz SoftICE_detected7 D" k! d/ C9 t$ ^% o. u
$ W" z) ~% ] K7 y# |# S+ T
3 o! C" Z. j) A5 M* @* _9 s9 i
Next method as well as the following one are 2 examples from Stone's
) D+ I1 k# G2 |6 K, x"stn-wid.zip" (www.cracking.net):
9 G" A# c1 D/ e( X! u5 e$ C( n" @' [/ o% J X6 |( U& t
mov bx, cs
2 m1 N' `, Z+ P. }. G% A9 y lea dx, int41handler24 @2 p$ B7 T( U- H! H' i& j0 a
xchg dx, es:[41h*4]3 @; F' Z! Z7 R3 `$ D3 g# t+ N
xchg bx, es:[41h*4+2]
& P4 J9 }5 }5 ~0 a* `; G a mov ax,4fh, W6 ~8 \$ F6 C" \, y; a& J
int 41h
( m8 n) j- j8 G$ n( ^ }, R) u xchg dx, es:[41h*4]7 w, `6 w& s$ X/ W% m% s
xchg bx, es:[41h*4+2]
9 y/ z4 Y9 o! Y cmp ax, 0f386h
4 a5 m+ L% E% C) H* n5 H$ G" P jz SoftICE_detected% N( t/ ]& |/ R6 \0 i4 u
' F6 J7 G% S! F; f* {9 Iint41handler2 PROC
9 H" H, p% j g& N( @/ Q p, \ iret8 X. ]! C4 m1 z
int41handler2 ENDP
* K n A# @- g' L6 E5 y" K
9 r9 L& Z! ^) b% z" y/ s) q, L- q* \- d# K& n1 q0 o: k! Z$ y
_________________________________________________________________________2 U, z( f+ F- R3 L
" u- q' B. l3 w9 _: Z
" r8 A/ [9 K5 z5 pMethod 06, ^$ S% J( g9 f& t1 z" r' R# o
=========
1 T( N* J5 W# t2 r# _
' z, h- Z) X; R( Z5 H; b
4 i" Y8 @9 N* e* V1 e) x2nd method similar to the preceding one but more difficult to detect:1 r2 }7 l8 Z7 @
' K) [! ?; a4 ]
8 H7 P( d, G# U& xint41handler PROC) Q$ d, N0 l) L
mov cl,al" }/ J* \# j* \$ }. w; h
iret/ z% {" p5 a0 M" ~* D
int41handler ENDP
, R; s4 O0 l' `
- m- U6 I% A, u, f+ \0 ~/ U5 s( |2 V6 d, \& a& V
xor ax,ax
* J2 O! F- E: h- X mov es,ax( }7 a9 t6 @% z
mov bx, cs# j" q7 w4 E: ~! E( U
lea dx, int41handler8 X$ C3 v+ u" W A9 ]# Q
xchg dx, es:[41h*4]
9 H" m/ S H+ P& b8 z; ~ xchg bx, es:[41h*4+2]
5 v* i: t3 G* r' b0 c in al, 40h, ?8 V$ G C6 H
xor cx,cx
/ ^' ]% E' Z! H2 V# s* J int 41h
& d1 O- n w! [" Y6 `- V' F/ N+ G, K xchg dx, es:[41h*4]
# r0 i( i; ^9 i xchg bx, es:[41h*4+2]% g) w2 l7 ^6 O% g0 m. t' i
cmp cl,al
- s, t: x$ i% y# N/ Q( M jnz SoftICE_detected
; F" I% ~8 k q7 K0 p- t7 N
9 H/ f0 L: {) _5 Y" [7 i2 i_________________________________________________________________________
' N) Z% W9 ]2 q8 N( J$ a% [+ M* [; S5 ?% d) K/ K! G& J
Method 07
' k, P/ `( P, q9 X- j y; H=========
+ O% R2 w5 y, s" D6 m. ~. w# Z( ~8 O5 B8 r2 Y
Method of detection of the WinICE handler in the int68h (V86)& L1 x j6 V) n. V1 ^. ~- k9 ?3 m% _( p
" {+ L& ~5 ?6 B% A
mov ah,43h1 Y# _* g2 L3 A, T1 S
int 68h
/ D8 G/ B. V' g; x cmp ax,0F386h7 S8 o: d& I w, |: f4 w: b
jz SoftICE_Detected
0 q) G! t' d- R
' b7 L1 s; o. p/ f9 E$ d+ B# Q+ v9 Q/ V' G! M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( w+ e; Q/ [. B+ p
app like this:! z0 t: w$ J2 E( p% e# p% u
8 r4 B0 {! T1 M2 _& G
BPX exec_int if ax==687 x7 o8 i: |5 c4 l/ U( u
(function called is located at byte ptr [ebp+1Dh] and client eip is. ]; N+ u. F' O& B; M* b! Z
located at [ebp+48h] for 32Bit apps)+ x8 j- j+ @; f5 Q" @1 J8 a
__________________________________________________________________________
: }' n; ~) R ~4 A* D, r4 d) U2 t$ T8 a d5 Z
9 r* B2 r$ C- A5 f( @1 A b
Method 085 O" U7 \, I* m2 |0 B% r
=========
% q- k# c# B) V2 ^0 {0 B" u
! O+ E4 N- u7 s$ |It is not a method of detection of SoftICE but a possibility to crash the) c0 Q1 r: r! B+ t' ], K( c+ t0 h
system by intercepting int 01h and int 03h and redirecting them to another, T; D9 p& O6 w+ e
routine.) L; T; Y# y6 ]4 U5 w4 c" E/ M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, F6 @* |* o( f- @" h
to the new routine to execute (hangs computer...)+ Z( S& M! X- R9 X2 @( M4 G
0 F0 N1 F# z2 ]8 \, g8 @3 K) a
mov ah, 25h
- c1 Q+ | U; e6 M) t3 ?3 P mov al, Int_Number (01h or 03h)
* S/ f1 U& w+ F( n% ]- V2 Z mov dx, offset New_Int_Routine
" [/ n+ ]. A0 Z5 K" N- N int 21h9 I0 p9 U' @" C5 p6 e! k
# q7 o# ?% r9 @5 U' m
__________________________________________________________________________
& Q, q: W3 q& U$ S7 U
S" Q2 |% h% c( f+ V. iMethod 09
0 O0 B6 A; {/ H3 `=========
8 R9 A! f: k/ P0 S, D
( t6 f9 O! }) V$ F/ ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ u( C x0 A+ d& kperformed in ring0 (VxD or a ring3 app using the VxdCall).1 b9 F* Z- X3 y0 c1 t' n* V' `0 V
The Get_DDB service is used to determine whether or not a VxD is installed5 t* @( w5 N2 g3 ^
for the specified device and returns a Device Description Block (in ecx) for$ E* E# E8 `( \# c9 o
that device if it is installed.
; n+ l* n+ s/ \% ~- n! R" C2 ?! D& x6 Z7 k0 }1 n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ K$ _( u4 n7 |# g* @8 q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 t4 }, C5 ]) ^6 Z1 S# V4 }/ ~' c VMMCall Get_DDB
1 K4 s4 N K# h1 ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% E/ g0 \. y$ r
7 B5 i! [+ a+ Q+ [- m- kNote as well that you can easily detect this method with SoftICE:, z% ^& Z9 F, ~* f2 R- U) S
bpx Get_DDB if ax==0202 || ax==7a5fh/ z+ [% l& [2 v7 \4 s
0 ~! m. u- D) h. T__________________________________________________________________________
; V) M5 s1 G: h" ~$ ~# B7 X& Y$ L. }
Method 10$ i+ }5 B$ j/ m8 F) W7 G, C4 E
=========
1 x2 \- k5 ~6 |: T; b/ J
& Y @& c' ^3 K* H6 r7 | a, ^0 q=>Disable or clear breakpoints before using this feature. DO NOT trace with$ j* q: s3 X9 ?( ~# X7 x
SoftICE while the option is enable!!
% k U2 M! Z% x7 S+ f+ j; |
" W3 m# N3 S- DThis trick is very efficient:. o: |: L4 d2 ~9 H) v/ \
by checking the Debug Registers, you can detect if SoftICE is loaded
) B- K* S) y6 U. H4 v7 C: f. q) l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 U- |( ^( i5 \3 `) l5 `
there are some memory breakpoints set (dr0 to dr3) simply by reading their. N9 ^0 m+ h- t# T- F' U. @# g
value (in ring0 only). Values can be manipulated and or changed as well' E6 j! x1 Y- ?
(clearing BPMs for instance)
4 H( w8 N7 L& ^( I, E$ @8 R6 J J4 w8 n$ U
__________________________________________________________________________( @/ T1 F* D0 k7 h0 w4 O% F4 x( p
+ W Z. V" g5 A A' rMethod 11
6 ^5 e% k) z* x6 A=========
+ T. n, l- G8 ^+ Q7 G3 q- f0 G2 |7 T' n, s# K% H9 z% L
This method is most known as 'MeltICE' because it has been freely distributed* `( |+ o0 @- F/ P
via www.winfiles.com. However it was first used by NuMega people to allow
0 W% m' u, H* J# |5 Z& KSymbol Loader to check if SoftICE was active or not (the code is located" ^$ n, U& {3 k% n7 P! r4 r
inside nmtrans.dll).
4 U, l. N; J% a2 }5 {& C5 l" \4 Y1 t7 r1 c, t
The way it works is very simple:
2 N# l9 ?4 \7 |! d# t( O7 n! JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; \$ |7 I, l d% B
WinNT) with the CreateFileA API.+ |5 \! E8 x+ M8 m5 M* S
; A7 K4 w" m( g/ w H# fHere is a sample (checking for 'SICE'):
5 l1 @/ m. j' W6 D1 ^( E; c" I! v" p8 d, e H" m5 R3 L w
BOOL IsSoftIce95Loaded()& r9 Q! q6 n! v! j7 r" o
{& F. Q* @+ X. Z# u2 t, J
HANDLE hFile; 2 _* ?3 }4 V: X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' A. C9 n; H1 `0 c7 B3 \; [ FILE_SHARE_READ | FILE_SHARE_WRITE,
' H: n7 ?$ g2 K/ Z* R" Y1 ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! {6 s3 C$ B: k; U if( hFile != INVALID_HANDLE_VALUE ). W# j. C1 j; o' k3 C
{
" O' b6 j& P: |8 k CloseHandle(hFile);
+ C$ B: q. U4 u7 C3 E" a6 ?+ v4 z return TRUE;
. S7 d7 w5 Y4 Z' v% j; h }' A9 T3 C/ S4 g; [ N4 k4 ~: F. }
return FALSE;
% h- D# z1 v! y6 r$ |% O& Q1 Q3 l; ]: \5 u}
* k- c% I% i& V9 w3 \1 S! K3 i* [6 d0 m) ` l. B$ i- N( H
Although this trick calls the CreateFileA function, don't even expect to be
8 X2 ~" `* q* x! x. [: }% pable to intercept it by installing a IFS hook: it will not work, no way!3 G1 M0 s6 A, O/ t; z t8 w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 c! m+ O. {# @" k+ }- X$ ~2 C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): i+ v. A" w4 L+ i) Q/ ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 y/ s2 \; W3 S6 ]field.
/ U5 b) w$ O; e) ^8 [% }In fact, its purpose is not to load/unload VxDs but only to send a
9 g8 O3 B" Z& PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" ?# L" _; w( b% L
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 O3 _ ^. m# @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# ?6 ?; M6 h% K1 |: hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 I; q3 ], K6 ]- l/ f) p; A/ pits handle to be opened and then, will be detected.& h; M, J# y! R% d
You can check that simply by hooking Winice.exe control proc entry point n1 f: b% u. i l; L
while running MeltICE.: a. ]- `' @! s
/ S! d- X0 \2 ^* ~1 p2 B& c( s( F3 r/ E2 z2 z" N- f# {: _6 }: T
00401067: push 00402025 ; \\.\SICE
( e: n$ {" B' b# K$ N 0040106C: call CreateFileA
1 o. U! Q# Z( I! R# p 00401071: cmp eax,-001
: | Q* b) f+ X. H: X) r 00401074: je 00401091; |3 x4 W6 o6 b0 o- {
! r1 u) U4 L+ K: d( U
* V1 M9 l! h. Q( P9 D0 _/ {( xThere could be hundreds of BPX you could use to detect this trick.8 q; Q! f% ^% i* L: A
-The most classical one is:$ z+ [1 \1 @ X/ p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
J6 A7 g5 b U *(esp->4+4)=='NTIC' r: k. [% W2 Z( x4 P& q) h
0 M) K0 [5 h0 X; p) t7 H. [0 p-The most exotic ones (could be very slooooow :-(
* J# z( I) p0 F' r% S6 K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 N% G9 ?' H2 o9 P. D ;will break 3 times :-(
' ]% {/ P" N" N5 p: l( z5 s$ Z0 S1 [, c; ~
-or (a bit) faster: 5 Z1 Z9 \0 x: H# l4 H8 U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( V& S: w$ N) o9 I7 z* a* s1 \( _ Q: l9 X1 h' k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ ]! h W+ X" l R [ ;will break 3 times :-($ ]. V4 d* f% t0 I; W7 w
6 h3 H. x m b
-Much faster:
: }: g( ?$ V# ?& N7 o$ U BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. L5 X# E8 |$ r
2 I* T; X2 m, ?- {9 ^/ |Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% M Z4 G1 r* `( ?, D
function to do the same job:" M% u2 J7 s8 k! G \$ P( A: F0 \
5 V- i V3 b5 u
push 00 ; OF_READ
3 ]6 I! [4 @! }2 L- k# k* Z8 y mov eax,[00656634] ; '\\.\SICE',0 `' v% `, I* Z/ L: C
push eax
' n: ?& e& y; {6 \( M! K! `/ ^3 f call KERNEL32!_lopen
1 W0 `; e) q# o& [' A1 L inc eax+ g2 C. a3 m' R3 Y5 x+ O* `1 w
jnz 00650589 ; detected9 t2 C, w3 ^' m' J/ T- |
push 00 ; OF_READ
8 H7 V2 {9 ~, ~4 x$ O" q mov eax,[00656638] ; '\\.\SICE'/ l0 j5 G) V$ P" J
push eax
F% J* s+ c7 i/ \% c% Z call KERNEL32!_lopen
0 O. v! H' i: V! r5 Y$ V% p inc eax3 N- n0 r. f7 A
jz 006505ae ; not detected
4 n3 m+ x! v+ ?& d* F* g' y8 Q9 C- }7 Q% r2 s+ ~0 U
/ K3 v1 e+ p/ \# x) J__________________________________________________________________________% m) G1 @" x9 W
+ c0 T; q5 f! d
Method 12% X* o" D0 k. [$ u c9 E
=========
( u _7 }4 Q6 Q8 B# ?( v7 \: n0 Q/ F8 H; F p/ h0 C( c3 I) ?' x S
This trick is similar to int41h/4fh Debugger installation check (code 05
$ E4 v R$ k6 b9 n& 06) but very limited because it's only available for Win95/98 (not NT)
, t: a" s8 h8 A# o; O) Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.; M( c, I; \* r) F1 q3 l
8 e: Y. z5 C" F8 A6 s0 a
push 0000004fh ; function 4fh
" _ K7 w0 j4 D! S' S push 002a002ah ; high word specifies which VxD (VWIN32)
1 c, v: N7 v2 ~5 q1 @; e' F( K ; low word specifies which service
" n+ v# e0 I7 I; n1 B9 h2 I (VWIN32_Int41Dispatch): `( i! G# o- r- ^3 l. X2 b; S
call Kernel32!ORD_001 ; VxdCall
) h( c5 ~* W' Q3 i cmp ax, 0f386h ; magic number returned by system debuggers3 {9 U6 n1 F. S9 B
jz SoftICE_detected0 ?1 o- T' Y! [$ _! z7 W
' F! L; U. u9 |
Here again, several ways to detect it:" w4 O1 L0 x1 A! \* t w5 W
" `$ S; b- D; l9 L8 q# z9 p BPINT 41 if ax==4f
! }1 J Z- y& O" J. W; Q- W: u
( _. `- r" W }1 C BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* Q# k, x6 a' X2 M4 s' V% f
7 x/ P; M8 G3 V2 d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 Y9 d% y: E* m7 @2 _% C( f' w- `" y' p9 y/ {. Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 p" N$ \ W$ V1 P5 }% h, j0 Q
+ r. B! H# e4 t% [4 r( G2 X8 X__________________________________________________________________________- }0 ]3 K9 K( ~! w
, `- K7 X. V5 @2 b0 K9 DMethod 13
' {! b. h h( m/ _) X& Y* ]=========( Y+ B8 Z6 V/ o& l4 j
. G3 d( X9 M& l, A/ WNot a real method of detection, but a good way to know if SoftICE is; h/ ~! i1 d8 R' w$ y3 p4 i
installed on a computer and to locate its installation directory.
& w7 d% l+ O# ? u3 S( sIt is used by few softs which access the following registry keys (usually #2) :
; }3 h6 n$ H/ v/ s8 R3 X( d; h( @" s; j! V# q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 L+ S5 O3 U- \$ a
\Uninstall\SoftICE
4 ^& Q& M* Y2 {+ K9 {* C! ]8 C6 F8 I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 u6 M( T/ A, Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 Z9 V! ^, \. M5 W\App Paths\Loader32.Exe
Y* }9 k2 A; q- [: ]5 h! O! }( j1 K& B3 o$ t' b8 Z H( ]
7 g# q8 t- @4 ?' R2 d- INote that some nasty apps could then erase all files from SoftICE directory$ a6 j6 r, j. W: y) y2 B# K& J. p
(I faced that once :-(3 f! c2 w3 N, N0 O
# c9 l/ p$ D. a) Q" I" i
Useful breakpoint to detect it: v# Y9 o) S3 @! G& h* R
; H. ]+ H$ \8 G9 D$ n4 F8 |: r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 O2 B, T6 S6 d9 V- l; {3 P* s9 G, K7 C
__________________________________________________________________________
9 K! O. y) x }% q# M2 @0 ^7 f
! p& O$ A/ R- q3 Q3 b* U& S$ p$ o1 H( e! t- B1 B
Method 14
7 b/ y$ q) S8 d) d, R3 W# X! W=========4 ]3 C# p1 \! S7 u
. s- Z9 }8 G4 @( x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 O: V4 q( T7 j( [8 v" qis to determines whether a debugger is running on your system (ring0 only).
1 J5 W% x! O3 ?9 E/ a7 k2 X& Y& j
$ `* |5 ^: \1 p3 A2 t* e+ a VMMCall Test_Debug_Installed
3 a7 B% j/ j9 {& M* N je not_installed* v2 L1 i8 C/ {( C$ @0 ]" p0 a
2 S& `! [! c x, iThis service just checks a flag.
' q' \/ l2 n8 K+ Y7 I6 i2 v$ {</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡