<TABLE width=500>
- D6 a" G5 o# N8 C) ^. E9 k<TBODY>
- }- m6 c. X5 \<TR>3 B0 H4 z$ V3 K9 X
<TD><PRE>Method 01
9 Q3 q% k }7 x, \/ ~$ T* }=========, Y R3 Y6 \7 L8 E
# u% K$ y; G: `! d0 n' |7 s( Q, @1 C
This method of detection of SoftICE (as well as the following one) is+ t6 A1 t& O6 M7 ]9 h. `; E( _* H
used by the majority of packers/encryptors found on Internet.
+ `5 d6 P4 V* {5 q' y' R( eIt seeks the signature of BoundsChecker in SoftICE
: T; `5 G% ?& f* S
% Q& l' Y! N, q mov ebp, 04243484Bh ; 'BCHK'
$ ~# l* n+ B; Y7 f* A mov ax, 04h
% H: w/ [- | h2 w7 F! [8 A: l int 3 6 }% S6 J$ Y0 d6 w/ ~ {; s
cmp al,4" B9 j7 }/ ` B, }! z2 a
jnz SoftICE_Detected
" O" x t- c3 i, c) @6 a9 T& f. |; t, B- n X
___________________________________________________________________________ k) m) x+ G, K* _1 l
/ F; G; b1 f- z' N( e
Method 02
6 z& ]3 A& b2 l3 F' _# a=========
6 D6 y, |# ]; i
- m0 J: ^0 U6 p- q, [Still a method very much used (perhaps the most frequent one). It is used
9 i1 h. S/ A5 |2 D4 A7 O8 hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 ?. v4 @$ H4 D" x9 y) @or execute SoftICE commands...
$ }; G+ x# q5 P4 e' A* VIt is also used to crash SoftICE and to force it to execute any commands
* z/ s# t9 I- B) j6 o(HBOOT...) :-(( # C9 Y% K: C1 E: L" Q: x
6 y6 N4 O9 O. F9 {5 J* C" wHere is a quick description:
( Z2 |5 K5 I0 B. ?-AX = 0910h (Display string in SIce windows)0 O" g' W- I8 n' p6 H, v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 l2 Q# J- o8 x% @# k-AX = 0912h (Get breakpoint infos)
/ Q: D" s5 B# F5 h; l# N* E7 g-AX = 0913h (Set Sice breakpoints)
+ g& q- ^6 F# Q0 S* t-AX = 0914h (Remove SIce breakoints)
6 e$ w8 d# o" i( i1 x( }( f& d/ g4 }" x6 w6 o7 E/ o: {6 v# j
Each time you'll meet this trick, you'll see:! A; e( |5 i( s3 h; D7 C2 U2 Y5 A
-SI = 4647h
6 R/ x: [3 J: Z, Q! x1 F1 h" j, X' J-DI = 4A4Dh: M0 T1 F Z u# w
Which are the 'magic values' used by SoftIce.
! m. }' I% F. n) AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 N& ]0 D* L3 i% l1 [% m
! R/ x2 y. [. V) p7 r4 A# N- BHere is one example from the file "Haspinst.exe" which is the dongle HASP0 ^9 Y' P( _. k3 f9 J- C
Envelope utility use to protect DOS applications:5 q& ]) r; e3 Z$ ^4 f3 g) B* Q
! e, r; x6 J. f2 n6 P0 [5 D+ K F& \' o! H( d1 v- O% p1 ~0 I
4C19:0095 MOV AX,0911 ; execute command. D2 Q+ ]( ]" v* }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ R- T0 C1 i1 c8 h8 b
4C19:009A MOV SI,4647 ; 1st magic value.
3 S- c% Y5 [+ T$ K% ^4C19:009D MOV DI,4A4D ; 2nd magic value.) I9 M; R1 c* I; o/ y( v4 n# O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); S/ D" M* V+ M0 z1 H/ f7 r4 s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 K1 w* L, q4 l) w
4C19:00A4 INC CX& y d$ U4 s2 e* l% ~% u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# F* t% L; j- i6 e- K3 J" N
4C19:00A8 JB 0095 ; 6 different commands.1 U# {1 _! z# j7 r0 F
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 `. q! |3 U' L5 A. d7 k7 l8 d3 M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* z2 V& f. ]" P, d o' T
8 z5 J, p$ R! s2 D- s- DThe program will execute 6 different SIce commands located at ds:dx, which
- {$ r& k2 r: Y" uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) M+ U4 _' M& [5 Q5 f5 s
: k2 n& ~! ]' W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! E3 y. b6 S5 `: @1 M* \___________________________________________________________________________4 X# S* t W: e1 F+ x
+ X% H+ M" D. e
$ S$ m1 ~, O) P0 yMethod 03' k3 `! [$ l. N) C* a* B
=========
' ]% W, I9 W" a f! F+ l$ ~* ]$ y5 q4 e7 |# ?. N" t3 t' {) u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 l# q+ E) Q. \ k
(API Get entry point)
3 d5 `6 @1 B$ i# Y* u% i+ Y9 I6 O+ w 3 Y, B2 t+ U/ q5 H
! k+ Z" `+ i( {7 a% D& Z* R6 g# u
xor di,di
& p9 a/ l! c6 C2 {4 N, V3 i mov es,di
l6 U4 e5 t- L9 K) } mov ax, 1684h 1 G5 t7 X2 F" U
mov bx, 0202h ; VxD ID of winice
+ X# U- ^" n, l' } int 2Fh# E1 @8 g2 Q8 {- Y, \1 k- e3 h
mov ax, es ; ES:DI -> VxD API entry point- q" Z/ _! o) X$ v: R% o
add ax, di! g5 v$ d& |! }4 X1 J
test ax,ax$ G2 V H5 D5 F6 p, `% G
jnz SoftICE_Detected1 m& H9 E' r0 t* ?4 b
9 k( ~5 T: S5 k$ n1 \ j
___________________________________________________________________________
% g( S, `6 `9 N/ v3 }7 o0 p& T2 L9 m2 X0 O0 P% g2 A
Method 04
" h0 ^) W/ h% \2 I$ i# Q. F=========) X1 O. Y8 ]3 D) O- L
2 U+ L+ n+ e7 _7 F
Method identical to the preceding one except that it seeks the ID of SoftICE E7 R+ b* `. c3 D# K6 u
GFX VxD.$ h1 G! _" K( g6 P
# M/ {( f2 } L5 k% v
xor di,di
) c; q- w( G8 T2 x4 g6 A0 J mov es,di2 O- M( s6 b, N5 s: }6 U: w; e
mov ax, 1684h 8 L" P$ |2 Z5 k
mov bx, 7a5Fh ; VxD ID of SIWVID7 S' X6 L# @0 ?: ]# _3 b+ v) W/ t
int 2fh
3 L# _ Q7 |4 `. u4 e mov ax, es ; ES:DI -> VxD API entry point) M# E/ \1 W5 ~" w! i
add ax, di4 O+ A. o# c5 b% o1 {5 O8 v
test ax,ax
1 @8 N9 U: V' P G* M) U. M. J jnz SoftICE_Detected
$ B7 R0 F% n) W3 {& c8 C" f4 I' I5 u t6 Q- W1 i% o' {" k
__________________________________________________________________________* B z+ l. A4 Z0 ?" v8 `
# ]; Z4 R4 a. T4 f# j' S
6 }$ K4 e; L$ lMethod 05. j, E8 I7 e7 l) P3 J& C
=========; M: U3 j6 Z" U/ f
. Y0 d/ E. b V; F K9 j
Method seeking the 'magic number' 0F386h returned (in ax) by all system, D7 f. N5 h* Y, N7 w N# ?
debugger. It calls the int 41h, function 4Fh.
: f% V* w3 L3 y1 V% j) RThere are several alternatives.
6 E$ f& y& b5 Z. G
* I9 ~2 j' \6 U% W- xThe following one is the simplest:; [3 F* G' Z. W( d1 t# Y
. q y, c# F1 b
mov ax,4fh4 {- A" ?- G7 M# O! X1 B% b: K
int 41h
0 ]; w% H {* F* t: i cmp ax, 0F386% K, }/ O! p* ^7 |5 D: L1 s
jz SoftICE_detected1 _) |3 T2 T. R2 q3 R
3 p d# f0 Z5 [, D \
- |9 Q$ y. E( g0 E
Next method as well as the following one are 2 examples from Stone's
; ^7 f; u2 x8 I. e+ Z" k \) r) N* }% d"stn-wid.zip" (www.cracking.net):
3 I3 A' T' C, c& J& `) Q4 F0 g' V
8 m! G( l. N2 G: Q mov bx, cs9 R4 _* _. \) H+ d! y5 t
lea dx, int41handler2
' M0 S) b; C% v$ x xchg dx, es:[41h*4]
% c- I- O- t# Y" d' ` xchg bx, es:[41h*4+2]
/ G4 c1 J0 c5 {$ n# i' e$ K mov ax,4fh
/ k2 S0 i! C% E( R d% x int 41h2 J6 v# `" c8 \1 A5 a+ V
xchg dx, es:[41h*4]
" ]+ | h+ e% b2 q- u( K xchg bx, es:[41h*4+2]
" B/ y+ \$ F# t) b, J) n cmp ax, 0f386h
6 g" J' M' y, X0 s; U% g* _3 Y) F jz SoftICE_detected8 ^; [: c$ L/ Q% T
2 S( ^& N @; Z2 m6 G" t" D+ q: X! v
int41handler2 PROC
& @' H$ o# U1 \: p7 H/ Z0 h$ n iret
: S, m3 M4 p% i" bint41handler2 ENDP# G3 W/ h. c) [) X2 k& i/ l3 f4 o) `
/ U8 E6 D/ @3 U# ]0 U5 O l
' f6 ?: s6 a" ^, w [ q! C' G
_________________________________________________________________________
' C# D3 s* B7 D: S' w( U; w* D* H0 i: w4 i& W! M( Z
# L: o% @7 @; S f4 |2 x
Method 06) [& C( V' h9 v' e
=========
; C3 v; j; O, t. [; R% i9 O; ~# e$ Q1 g- U8 _9 J0 B2 f
8 J2 D( o& n1 U9 M: B
2nd method similar to the preceding one but more difficult to detect:) {2 P5 n& f& n) k: t. L1 V
& M3 F9 j5 D7 l
# Y7 J, c. l4 \; T. [9 N9 [, Cint41handler PROC/ Q1 r3 Z1 [/ F) n" X) b$ K5 B
mov cl,al
: b k& F/ `* | iret4 K: ?/ Z+ C; d% |* _/ `+ I" \
int41handler ENDP. C# d$ j) _5 Q3 J1 g1 Z) k
' Z6 B. j" Y% T9 | r! h3 w. h1 i. t
xor ax,ax
: r+ y2 d. n$ ?3 ?% C% ~4 L* u0 y! c mov es,ax: v( q9 S4 o3 b/ V
mov bx, cs, g; I# K4 J, Y9 h, K. `1 j
lea dx, int41handler. U: B4 ~4 e' U/ L$ Y
xchg dx, es:[41h*4]" z6 ~: E) t$ `* E& e6 Y8 n
xchg bx, es:[41h*4+2]4 N' b0 S5 K1 k3 ~
in al, 40h) w. S7 s/ F9 U! {* r; O5 W
xor cx,cx
% h6 ~% f8 J- t: Z int 41h
3 q# u& j6 P6 R& M xchg dx, es:[41h*4]
( q d7 V2 T o1 b% f* D/ t8 C xchg bx, es:[41h*4+2]
1 `, ~0 f! s" p' i$ o cmp cl,al2 O2 l/ ]- b3 ^& B7 S9 \: Q4 q- }
jnz SoftICE_detected
# t, ?5 S" N0 q4 R" D, ]4 B, J6 c3 d2 ~
_________________________________________________________________________
3 Z$ w! m. r: U* z Y+ N- {
5 e* i# K4 G4 d+ t3 z9 r! O2 f, e' AMethod 07( m9 {5 x P; @: i$ L8 [
=========
- n; ?2 F) c/ h* D% Y5 o+ z/ n; T+ v0 O# S0 ^ m
Method of detection of the WinICE handler in the int68h (V86)
2 ?* C& n4 ~' L2 Y: F# z, J E
# X! A! C, k1 j* C mov ah,43h! F i6 L; P5 F+ T* [7 d) }
int 68h, B5 s6 N6 ~. g/ ^
cmp ax,0F386h
0 x7 v3 d* o7 U, P, p' b, V jz SoftICE_Detected1 n: {! w, [7 x
4 d6 r% `. I% Z# H, q! k
+ @& q# m4 c7 R: h. J' k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: q j) W; j; X( p app like this:
7 s1 V3 A$ j9 T. M7 w$ o
2 z' B- L+ W1 B* M+ G) L" w BPX exec_int if ax==68
1 f! ]3 U* j4 F3 ]' F6 p (function called is located at byte ptr [ebp+1Dh] and client eip is
! _9 D* U- c8 Y* Q located at [ebp+48h] for 32Bit apps), H+ y& T) t. r) T5 v
__________________________________________________________________________9 [: C, a" K( E* H
: e3 [" G; v. ^. B9 N6 h
$ z+ ?- t4 c/ bMethod 08# W( n/ k' u. j* _: X+ Q( m
=========
|& k4 L7 O2 l& f6 S" c
1 g1 ?6 ~' u/ q/ e& \It is not a method of detection of SoftICE but a possibility to crash the+ R. {6 a, l* V' Z1 L% z3 g8 A
system by intercepting int 01h and int 03h and redirecting them to another6 P. R' l0 u7 l D$ m$ q7 F
routine.
- u6 N. d# x0 H0 f+ I9 f7 bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; F& M; t5 t! d: zto the new routine to execute (hangs computer...)' B3 ?: K( c8 R
" w2 j# P7 I+ V1 r2 q; q mov ah, 25h" }: F1 E3 d+ F2 y. x" Y8 N
mov al, Int_Number (01h or 03h)) S, |* _5 k4 h/ R; w( g
mov dx, offset New_Int_Routine- E0 \) X' b% p
int 21h
: T6 z8 Y' R& Z J7 d% r) F0 {& I. q; g" a
__________________________________________________________________________
- D( y. N) B# O. T' `% v5 {6 O/ A! _8 \
Method 09
. i, O( a# Q0 W# r2 e=========; p6 f$ X8 Q& [" a7 d
4 u1 H3 \) z; f' E% K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 t- A* \: P9 P: Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
* y" O4 D" A7 p! BThe Get_DDB service is used to determine whether or not a VxD is installed6 T3 d! n! K& ], y8 L
for the specified device and returns a Device Description Block (in ecx) for
" O& f9 R0 B+ k5 P. i. Uthat device if it is installed.2 B# x6 M) |( |$ c. D: W
- P6 p3 `& ]; U/ X' l: b8 @3 E' ^2 ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ S7 w$ I' o: T
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- _* q1 h( ^( w8 U- S% H7 T" t' g0 e
VMMCall Get_DDB0 A4 x+ v' P# h
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 Y V. W' K# \% r) c3 D' @4 h. N1 r9 g$ @
Note as well that you can easily detect this method with SoftICE:7 a9 U1 \: ?6 }
bpx Get_DDB if ax==0202 || ax==7a5fh% C- q4 Y2 l# j1 ^6 w, g
0 j- R/ u; b$ V$ d__________________________________________________________________________5 W$ j5 f& P6 [3 y, L5 J
; G6 l6 L4 e: t- A4 [- pMethod 10; m& g; ?4 p( G' W" j: L
=========' ~: x* x& z b& n* `7 e2 p3 a
7 n! g; e, m+ K
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 s- {4 w" k5 O0 a- S | SoftICE while the option is enable!!
9 i/ @! j0 R0 W) w5 ]6 u- R- m3 Q$ N+ V0 r$ g8 w* M2 U: X1 y
This trick is very efficient:
( H, P' m. T) B8 Fby checking the Debug Registers, you can detect if SoftICE is loaded: I, E* o n- x% F$ V; g- W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 A! Z$ J7 A, ?) O- w7 C; z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( ~5 K7 ?. a# w) B. f6 q. `8 Q+ |7 `value (in ring0 only). Values can be manipulated and or changed as well0 c2 e2 F- Y/ q
(clearing BPMs for instance)
) I. [( B" f4 j" O$ d* ]4 F" f. v2 G
__________________________________________________________________________
3 G8 f2 ~' a. H9 y7 d$ P8 P4 \5 p$ J7 g' H
Method 11
0 r5 m; J+ e; p, K, ~4 }=========4 C8 L! U8 V, S$ k j
( V5 r6 L& @, I' @8 O" ]
This method is most known as 'MeltICE' because it has been freely distributed
. _7 r9 T4 u* d* V. @: @" r( jvia www.winfiles.com. However it was first used by NuMega people to allow9 T4 h. j8 ~2 g" _; Y
Symbol Loader to check if SoftICE was active or not (the code is located
. k5 ^5 T" e0 Cinside nmtrans.dll)./ K6 H) C, g& b7 j8 ]4 P' S
( m5 q- ?7 q& {) v
The way it works is very simple:, D7 n7 ?9 X& C: G8 L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. S% N1 Q5 e3 kWinNT) with the CreateFileA API.
! K: `3 P1 D! B0 y
; o; h$ S, n3 A" t1 B" P6 _* N; q' [Here is a sample (checking for 'SICE'):7 O d! r- j' X8 ]0 i
# U |- |* M; q; I
BOOL IsSoftIce95Loaded()* {: k: r# L& q5 o- Y: Y
{
1 l3 g4 i3 ]4 |/ \ HANDLE hFile;
( e) d/ o& f( t7 k+ n" O! b& t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 {( F: _$ u& x3 Y0 m! E4 U" G
FILE_SHARE_READ | FILE_SHARE_WRITE,% N5 `! z: p# a1 g* y) ^6 c, B/ J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 x2 }3 ?8 q; L1 G5 y$ ]; c- s if( hFile != INVALID_HANDLE_VALUE )/ v- O0 O. n0 O" x( L; o: ?
{
9 A9 c# h: ]( U( P CloseHandle(hFile);9 |0 y) O' b" ^ @: y+ Z! R
return TRUE;
2 I) r# T2 z& x* p$ j+ l }1 X0 | I1 p& ]3 C1 Z: J
return FALSE;
( k+ g( Y( N; L% \5 n, {. j}
2 T8 z' \9 ]; p2 j0 _* R
1 e- P' S4 v0 ^4 u! o% NAlthough this trick calls the CreateFileA function, don't even expect to be
1 o# X: j e- i! Vable to intercept it by installing a IFS hook: it will not work, no way!
3 \/ l6 F/ r5 C6 `2 @! t% y1 kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- m- b( k2 v0 g0 r/ Y c/ xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 Z0 I- z; G8 j1 N4 w! |and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! m8 e8 X) A, Q% [% ?) | @field.( k; T5 Q7 c1 U
In fact, its purpose is not to load/unload VxDs but only to send a
3 i" j7 X& |6 I1 M7 pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! S: x8 Z( O n O' m" B3 Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) q% V) ~2 u0 T9 W8 Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# A* ~2 `6 E% @If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 ?+ q% e3 }6 v4 Q- Q S9 Hits handle to be opened and then, will be detected.
' }1 s1 m. H4 v- q+ l9 |/ t1 l' S5 eYou can check that simply by hooking Winice.exe control proc entry point, n( [. ?: o2 @" Z: k
while running MeltICE.; b4 W% l0 T& D$ l( H! Y4 l; {
4 D7 x, @4 j; e4 Y# @0 [8 B
5 y }$ V. o% {7 r+ `( g, Z 00401067: push 00402025 ; \\.\SICE
4 k) J b4 S! B( S: W 0040106C: call CreateFileA7 F5 Z5 @% c0 r+ q9 k1 S2 J: p
00401071: cmp eax,-0011 z0 ^5 T0 b" s& i, k
00401074: je 00401091
- V. H6 A! x, N2 @+ V
' W8 G& j% ^0 J' g, b- Y) g4 T) _. [+ a4 h
There could be hundreds of BPX you could use to detect this trick.
2 J! I' b- m6 R" G0 g8 M2 X" s-The most classical one is:5 d- E* |: m- I7 g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 J" w# Q/ c4 |, a *(esp->4+4)=='NTIC'5 l4 [4 C6 z g# P8 \( |" L8 u
& O! N- D# ^$ \1 |8 n0 Z-The most exotic ones (could be very slooooow :-(. C# K* c5 Y& T1 [) R5 c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : x0 F7 i' q6 D" n+ h7 h1 M
;will break 3 times :-(2 O" Z7 A. n2 v) z# ]5 I
- R0 S( h- g G3 m6 }+ u5 F-or (a bit) faster:
0 Z; a" `. c% A+ u8 M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. Z1 P* Y% w( N/ f1 p% E- [& L8 l$ }, x' T, `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# `$ v5 H0 t' F* r ;will break 3 times :-(
! e& Y+ o. }; z8 f% d+ m* A, l+ N9 S5 q3 P. n) P4 T5 K
-Much faster:8 P. u$ k+ `" o9 v7 u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* x! j) K; ` T( ^) E$ h: [7 _
! S$ V" V. w7 {0 wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* ~2 v7 B0 ~7 _4 ?
function to do the same job:9 B" m$ D9 t* y" l- o) s; a/ [% G
5 n' s1 H! D1 @ push 00 ; OF_READ
% Z9 f3 g( F8 C3 B5 k3 c& J mov eax,[00656634] ; '\\.\SICE',0; e! u, j! B0 N, u) u# ?* O* I
push eax# X* K9 l; [( I) b$ G% _$ w4 a$ E
call KERNEL32!_lopen
! t1 K2 W; W" X inc eax! A0 ]$ g6 W! @% q
jnz 00650589 ; detected
% L# V1 N0 T) a& B push 00 ; OF_READ
, S a6 c j5 Z mov eax,[00656638] ; '\\.\SICE'5 p! o7 v( T, ^. C
push eax
; v' O% t" w! O# H' d call KERNEL32!_lopen
! b+ e8 m$ d* ` inc eax% H7 q2 x9 e) K+ ?5 Y( y
jz 006505ae ; not detected5 o5 ]% p. I4 g! G( j& J
& B3 X6 W! @; j0 s( c
- ^, m& Q. Y5 f2 G$ O* o) |
__________________________________________________________________________
2 S8 Z+ X/ u. E* z# [- U: v" k9 B) U6 o% O) o# V+ K
Method 12# j; L6 m1 a, W0 _
=========
: w7 G7 Z" Z" e: _6 `
1 {) h! P2 x/ {7 Q! lThis trick is similar to int41h/4fh Debugger installation check (code 05) r3 Z6 k7 C8 h8 e: r0 T6 u
& 06) but very limited because it's only available for Win95/98 (not NT)
2 J: r2 g+ X4 |, gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 M' k P) `& E* S% F4 r, }7 P
' i6 h% p! l: J+ c+ f push 0000004fh ; function 4fh9 M2 Q' m( k- i. D
push 002a002ah ; high word specifies which VxD (VWIN32)6 B8 f- k8 }5 x! P0 ]# z9 C/ U
; low word specifies which service& w2 r5 h8 o L, n" n
(VWIN32_Int41Dispatch)* P# }# Q4 U. \
call Kernel32!ORD_001 ; VxdCall
+ M' F: l; ~$ v' b4 ?6 G! _ cmp ax, 0f386h ; magic number returned by system debuggers9 C0 C6 U) a; O- [6 p9 g( X' y: z
jz SoftICE_detected
0 R3 e- c4 {) p+ E
9 f% R& t& X+ m) S+ lHere again, several ways to detect it:
* _& P4 a4 ?2 x, V* ~- R
. }8 G$ w: [; h9 U2 y$ m BPINT 41 if ax==4f0 S; v( z$ z g4 K
* b& B1 \& `+ _ T; f- @ ` a4 J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 I3 z `6 q) N3 z9 i& M$ h3 S- j2 b/ t6 u9 Y9 \1 U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 G9 I6 M$ {( C; C/ P
, ?) @8 X6 Z# b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% W5 h3 t4 F) G3 ]
w/ Z0 y. Z0 q5 B3 @7 Z__________________________________________________________________________
2 V6 M! c) [+ [: I6 U8 o) b4 |' z
* N/ B! }1 w0 Y7 X3 [5 C6 |2 N+ [Method 13
# K7 e5 E6 _& `=========
' t% S+ C. P1 v7 b7 {, e8 X' G) F' ~! {+ @
Not a real method of detection, but a good way to know if SoftICE is
6 l& D! ^! p3 j/ C6 E% J$ m8 K3 Oinstalled on a computer and to locate its installation directory.6 q* u. b% N W# ~$ [
It is used by few softs which access the following registry keys (usually #2) :
8 z/ U( e4 F% Z4 L# t& \; _$ L! v1 o1 `2 ?" s1 }$ G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 V6 `2 \; f6 |# T9 f( j
\Uninstall\SoftICE! t# V- E) ^3 h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. g5 g5 C5 r0 q. l) ]
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: G+ M3 I% R% A7 G2 q) E" X\App Paths\Loader32.Exe
& q% ?" l9 Z! f% o8 P, V/ S1 f5 Y) m% o2 }% H1 ~% C
3 k; f. z t0 ?0 o: d+ o s, hNote that some nasty apps could then erase all files from SoftICE directory
, }+ m" u! x5 K8 F(I faced that once :-(
/ M! {5 P H0 E3 \5 `
! b. C5 ?0 d% tUseful breakpoint to detect it:
, Q. X1 f; s* h% ~" s! m! Z" ~$ o9 Y" k9 I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& Z% ]7 {0 A4 i4 g
9 [/ ?1 O" `5 C' O. i' J4 ^& b8 z
__________________________________________________________________________
; R u3 l- e) \& I' z7 { y7 [% h" [8 f, C( ^
& X9 Y4 E7 p/ A: H1 e4 vMethod 14 - x! y; K6 J+ |! o( { j. p
=========- s0 Q9 m! [8 u* T
& p6 T' ^- t: q3 B+ O, h( n, rA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, Z! i2 |% D# Cis to determines whether a debugger is running on your system (ring0 only).& Z( L2 _. i+ B6 [) c% p
. y- b( ? Q/ n4 a- W( a VMMCall Test_Debug_Installed# F2 `+ r3 c9 m' m2 e+ ?
je not_installed/ ]# a: R8 T6 |/ F) C
( W& I( E+ `, \; i" B2 K8 @2 gThis service just checks a flag.
( E7 `1 M, ^" _. I1 _3 V. O</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡