<TABLE width=500>0 n% z/ |( @, |& Y% v! U
<TBODY>
' f$ u, B3 W8 | I b3 e% }# T<TR>
! Z6 y- B# c& v: U' L/ i! f<TD><PRE>Method 01 6 T1 [7 o) {0 I1 }
=========* K0 I& {8 R# q Y# U
* m; W7 t) A. L" mThis method of detection of SoftICE (as well as the following one) is% z% ?$ B4 ]$ f4 [. y1 L
used by the majority of packers/encryptors found on Internet. K) X! Y: a2 J9 v% ?
It seeks the signature of BoundsChecker in SoftICE* x6 F, T/ l5 L6 E! F
3 U% V f& w1 l6 d
mov ebp, 04243484Bh ; 'BCHK'( W. H& \( \" L" x
mov ax, 04h" p& q4 u' g4 W. |5 |; X
int 3
3 g5 r3 ^2 K. z% T6 V0 L V8 M cmp al,4
" u! X3 ^' m# x3 B& d. S; @ jnz SoftICE_Detected
5 u! N& P1 m; N' b4 E
- a. F: ~$ z. R+ Q* M___________________________________________________________________________7 g* N5 e% x" t4 u" K' I0 |
% A/ V1 ], f$ Z( y4 ~/ j
Method 02
' N) x5 H, R& k$ w$ n=========5 k: ?% J2 m" G3 t: T0 _7 n
& c; Y7 G/ J+ b2 @6 |# K OStill a method very much used (perhaps the most frequent one). It is used
! h) q( l. x: x1 }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ b/ |/ E. P+ \: a- X: J5 {* ior execute SoftICE commands...
( }+ S; c8 z6 T8 L+ w8 AIt is also used to crash SoftICE and to force it to execute any commands
# D% C; ]5 T( V' B% J( {) o(HBOOT...) :-((
$ V9 r) ^ C. |
2 I; y- j, X; H& `Here is a quick description:
0 E( _: ^ ~- I$ O; N-AX = 0910h (Display string in SIce windows)1 [* H4 S' a6 ^. X/ C O: g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) {& x( ?7 a- |' s5 ]
-AX = 0912h (Get breakpoint infos)
- s: a+ Z, J* a- N3 H# A3 B3 D-AX = 0913h (Set Sice breakpoints)
9 O5 s T; K/ A" ]/ r; I-AX = 0914h (Remove SIce breakoints)
; a6 E( R( l8 O2 N
. m3 i; h( H- H4 _* OEach time you'll meet this trick, you'll see:
5 u) |8 s( l3 o( |0 N5 g-SI = 4647h
5 o) } c: `- z ]# |4 Y! v-DI = 4A4Dh; p% C: d3 Q# ^& L/ t5 Q- h
Which are the 'magic values' used by SoftIce.# w# L4 |* ^# Z5 }* @4 [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; Z8 d a8 o! M' d# H1 X( _( G7 A
" Q9 T0 ~& g9 [. d% \; P$ hHere is one example from the file "Haspinst.exe" which is the dongle HASP+ k, S0 c) O9 x
Envelope utility use to protect DOS applications:
7 {2 n4 ^& Z# s5 j' K$ c$ h/ m
# O( i' w1 S. L# [% f* ~9 M$ d, o. w
4C19:0095 MOV AX,0911 ; execute command.
+ k6 v1 ~) }9 n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 w2 [& c( `& k& K4 j/ o' ?( u0 b3 k4 ~
4C19:009A MOV SI,4647 ; 1st magic value.
3 ?! V n9 K+ S+ q/ \+ J, E1 m4C19:009D MOV DI,4A4D ; 2nd magic value.
/ {) F7 t; ~' w a4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 v L" |! F0 q, P: n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 k/ J' ^5 s/ h
4C19:00A4 INC CX
R' P3 K8 X% L I: k. p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# c7 N6 l. k% F, j N" F& ?: D4C19:00A8 JB 0095 ; 6 different commands.
% U) E* V0 v5 m$ @) a1 T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# U* C. i4 }( Z3 P4 J4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
C1 f n5 D7 d6 Y5 c5 N8 I2 e
* c0 {$ {) \8 v8 S1 F* ~) [+ yThe program will execute 6 different SIce commands located at ds:dx, which
/ }$ H+ R+ c( S' M7 }2 h( x9 Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% M- A# K5 s. \* K# o' a
! f( q) y u( z' Y( ]& C' u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ {- p- j- B0 U2 [1 ]+ ^___________________________________________________________________________
% v$ O/ C6 e9 {8 ^' e+ U+ [
! O7 l7 L: S$ m( E9 l6 a
5 ^: ~" N4 D$ v2 U8 j7 r# vMethod 036 L! K, b4 ~/ N
=========' Y* W @7 F' u+ d
$ Q$ Z E6 c& \; j/ w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! y3 F8 ~, L5 [; ~& b' c
(API Get entry point)- ^7 z5 ~. S |) C" I
1 D0 h2 K2 X) o
) B) |: c% s. |/ \& h- b \# R3 ` n
xor di,di) K, L* z$ J1 p4 \4 }* P& M
mov es,di; k; c; j2 L7 z6 y# ^+ j
mov ax, 1684h
: p; Z8 Z4 q7 F2 B$ o9 X# X/ G4 @ mov bx, 0202h ; VxD ID of winice; Q0 y+ e7 J9 Z8 g" H" S; ^. |
int 2Fh
3 d+ @; x& D+ O8 m mov ax, es ; ES:DI -> VxD API entry point
% P+ P8 P# u% f% K. b+ v+ ` add ax, di
8 Z; G, C2 D& q$ {$ ]3 ` test ax,ax# B' P' p( s/ ]& w( Q
jnz SoftICE_Detected* A3 W) B* G) q0 j1 f+ K5 \
]% D5 n% z* x1 [( Z u* G
___________________________________________________________________________
6 D/ M' z7 u6 E5 x& d" e
9 z' S3 x$ W- |* z* fMethod 04" z2 a9 {3 q. F8 v! j/ s( A8 s
=========
; I* Y: U4 |& j
" c6 C& o: d; H8 n, E. [Method identical to the preceding one except that it seeks the ID of SoftICE
: m' F! k6 e8 SGFX VxD.* t7 n: z3 k; z. `" M: n
b9 S# y) s% W1 k7 k9 ^
xor di,di5 i/ l& O0 T2 r
mov es,di0 b: G1 n3 \$ o$ l# s+ t3 ^* q7 p
mov ax, 1684h : H; Y) M- x0 b0 g( \
mov bx, 7a5Fh ; VxD ID of SIWVID; T0 b' ]* w8 P7 s
int 2fh
8 m5 F" u3 y `* C mov ax, es ; ES:DI -> VxD API entry point
/ X* f8 q+ v* h: o; l' O$ ?4 A' G \ add ax, di! M) w7 V: k1 }. j; j
test ax,ax% r! B7 d. B3 Q' h0 |& p
jnz SoftICE_Detected
# f) t3 _0 Z- ^, r0 Q( M6 w: p% Y; f) a2 g( G+ T' q
__________________________________________________________________________
8 ]( h/ _+ L, a. q, j7 W5 L% ?$ ^7 J" m
; `$ Q& Y6 f' V) }! v
Method 059 X9 \+ r2 T2 y$ w
=========
: P, o+ R t( w4 O$ g6 O. j( }( d O+ s! w+ Q& l# A$ p* W3 Q3 \! a
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 O! k, y+ k$ O* J E
debugger. It calls the int 41h, function 4Fh.
+ @9 {" {: S' F1 ZThere are several alternatives.
: i2 z$ {4 v3 I- d+ k. n
5 L8 F" L, l# B, u5 f2 ]The following one is the simplest:/ j" ^, n i# L9 H' L# D7 A
[0 E: D0 e. @7 W! I9 `+ l S# k+ z2 G mov ax,4fh
6 w6 p; Q# p- P% ^* a int 41h
6 ?4 X' n0 `7 n; Z. n, D% x! @ cmp ax, 0F3860 b! I) g2 N, v1 U7 g. _: ?) B; ?
jz SoftICE_detected7 e" t+ l: d8 t) |5 d2 x1 m
$ I; k! {& }" a' [/ J
2 e2 t. \- _% W6 o# R5 q5 uNext method as well as the following one are 2 examples from Stone's / }$ V% C& E# p5 ?( G1 y' Q
"stn-wid.zip" (www.cracking.net):
" U" K8 K9 {. y/ e( o* U l
. i8 r2 g2 W" B6 t; O mov bx, cs$ p# A+ s3 @# R& f2 J
lea dx, int41handler2
+ m8 o) o: {2 C( L( T xchg dx, es:[41h*4]) F6 F7 S. h! y/ h6 Y4 [
xchg bx, es:[41h*4+2]7 }8 G8 E5 k6 y( B/ M
mov ax,4fh g" o* K! C+ z
int 41h% O$ j: I4 ` Q; l3 n) W$ L
xchg dx, es:[41h*4]( i: ]* l; r' ?
xchg bx, es:[41h*4+2]* u- |0 W" i- Q% }* i
cmp ax, 0f386h
: p. [- |, }% X& a( Z jz SoftICE_detected: [: A- U- `6 ^2 K
; U- `& Z6 r+ R& u3 W: w2 yint41handler2 PROC' @$ [7 W% j3 M: s
iret# `& t# C' P4 Y' b, T; i2 K
int41handler2 ENDP
: q u5 Z# L: z# i1 m1 k& B. P) T" @- W+ B6 ]! \
( H+ a- h7 p9 t% s
_________________________________________________________________________
8 m7 k, u G6 e% u6 `* d* s2 h) h9 A p( v8 z, x8 l! x* R
+ j6 h# Q8 e$ O2 w. W* e
Method 06
, ]" U0 v- f( D) l" ?4 \=========
- j X E' b; R" _% G' m( Z
8 |# n2 J# x9 V3 p6 d
( Q7 h' ^* V9 h1 j2nd method similar to the preceding one but more difficult to detect:- O" ~' c4 w y6 ^6 x
* J- _/ a: W" f; _# t* }
& S! l) O9 l& I% a1 h4 x5 Aint41handler PROC8 g1 z$ k+ V ?3 h* d& C* N( j0 b
mov cl,al, \0 f) Q" |) A4 ?
iret8 @4 X; f; S& p% O
int41handler ENDP! {8 A- ~6 n1 u7 W+ O+ @
; q& J: u) c* n0 W1 T$ Z K. F
5 I6 U: @' T" R& }! n
xor ax,ax/ x: a* Y1 q% Z' L3 i
mov es,ax/ y( o, A! X: o; S
mov bx, cs- l( c2 g# f! E9 K, j: U' x7 x9 r$ \
lea dx, int41handler
) N: j8 C2 p5 I( q6 X* a xchg dx, es:[41h*4]
8 \( L- V' G* w5 {: d1 Z8 d xchg bx, es:[41h*4+2]( T! v7 ^. P1 ^% f- S+ T& V
in al, 40h
8 A1 r. I* h0 \- a8 [4 d" j xor cx,cx- p# M+ T6 M! s7 h% R" v% T
int 41h
1 B' {8 {* D+ S' j- _# ` xchg dx, es:[41h*4]( T9 h& t" n6 A$ Y0 Y
xchg bx, es:[41h*4+2]3 b4 B% R* ~) [
cmp cl,al
9 v: r, H; u4 ^" G( B8 u9 h' r% K& J jnz SoftICE_detected$ S9 b$ C" J! ]- Z7 M! v3 J8 B
6 Z' C5 J0 Y2 U, E- ~; Q; C_________________________________________________________________________
7 _( Z4 T- a! d1 o& L1 B% R+ C8 E: l, k
Method 073 b! w2 g" f* @4 i# N/ ?
=========
/ `8 F, ~* P& A3 E2 _7 F& ]
9 P* e' [) n/ {" r: l/ m" hMethod of detection of the WinICE handler in the int68h (V86)
& S" M) [4 |& ~: ^" i. x+ e
( B. O' {+ {% [; j; h. w mov ah,43h( H; ?& M4 G7 W+ Y% F! [7 Z
int 68h& U. n p- `/ Z+ R3 S
cmp ax,0F386h8 C) q# t" P; X: C+ w, r( I
jz SoftICE_Detected
7 Z, i; `- o% y5 a; Q
& r& I: m% l+ \/ j' O, x- ^2 ]
% y3 V/ O) t6 T0 v: s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% C; ^" X9 P, y
app like this:
' W% T" C3 W$ p6 e: J$ L4 o7 G
, j- j: n9 ~7 c; D- ] BPX exec_int if ax==68* R& W7 t% T! k( |
(function called is located at byte ptr [ebp+1Dh] and client eip is; h9 y+ g1 _+ u/ L7 r$ U9 a
located at [ebp+48h] for 32Bit apps)) A/ r8 N& z) y% O& j, p1 E0 ?# w
__________________________________________________________________________ f# J1 r0 ?1 S& t! \
: O# ?9 t* L1 `! O6 B
1 K3 ]; y- M- @ JMethod 089 ?5 a9 S0 }" r$ U- ]( d
=========
M: {( T, b, W# z8 @* n
7 q/ v6 @$ x) d! e# M3 |: HIt is not a method of detection of SoftICE but a possibility to crash the+ _, ]& j4 d; N) M, f
system by intercepting int 01h and int 03h and redirecting them to another
C0 m$ d; Q5 H# A/ F& y( z! jroutine.6 j- D8 |, E) J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( S- `0 Y/ O0 q2 A& h& l7 Wto the new routine to execute (hangs computer...)( z* A! P9 _0 V1 }" W5 ^
4 X! w3 z; H8 \( V" P+ o+ j mov ah, 25h6 U* Q7 Z6 K% c4 K- m9 B
mov al, Int_Number (01h or 03h)
0 v! r' ]6 G" K8 l mov dx, offset New_Int_Routine6 V9 M4 [9 E$ X" `5 u+ R
int 21h
: G( F% W0 g/ G# T# U6 P) c3 w. n5 M) m) y/ c' }
__________________________________________________________________________
# B8 ] }" t5 n/ f
b5 ~4 a( a1 LMethod 09
5 _+ m7 h7 W5 o% b. M=========
7 P! S0 @5 O- q4 [+ B. q. |/ n# O. d1 w5 s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) |! U' ]% R* ]7 p
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 O5 _: ?& S* V sThe Get_DDB service is used to determine whether or not a VxD is installed
7 |& d2 g) a# b8 q* I4 ]* pfor the specified device and returns a Device Description Block (in ecx) for( Y* b* Q* I2 }6 ~4 W" G- F E
that device if it is installed.
3 x3 U: P9 D0 q8 x7 K8 E" n- d+ R4 n' K+ b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 H: l8 @" Z; Z+ i b# G0 d: W) d! j% J mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( `- R6 G: k0 W+ T W% S) [ VMMCall Get_DDB) ?5 B! e; B2 b& r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. N1 H9 }, X2 d; L2 S- @
" p% J9 Q9 `& vNote as well that you can easily detect this method with SoftICE:0 U+ ^3 {6 z6 g/ s% Y: C# u: `8 X
bpx Get_DDB if ax==0202 || ax==7a5fh( e! R5 m! }/ Y( `
7 i% R2 g5 e$ g/ Y6 q
__________________________________________________________________________- W5 [9 t8 o1 l9 J2 k% k
8 S1 G+ u1 T. v# E5 `
Method 10% T3 D- w- e! S/ Q
=========. s# C* w7 M r$ B0 n
& I; W% S. [3 ~% O
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ t( R% r5 E- o$ g+ _" L9 k& y
SoftICE while the option is enable!!& o( L! c9 |; E; j: v9 _: S
0 R$ [$ }% N. V
This trick is very efficient:
" S$ G% M( k' @by checking the Debug Registers, you can detect if SoftICE is loaded
: E# o8 E9 g, ?$ @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; x2 d+ \4 b0 m6 K, G! Q2 l
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& y+ L! Y6 `5 r5 R, P: Jvalue (in ring0 only). Values can be manipulated and or changed as well+ {2 s! b4 Y- R; t s- Z5 Q, s0 g
(clearing BPMs for instance)( H& j. [. s, M: q/ @7 N
! g% v1 `+ r+ U5 s. D' B__________________________________________________________________________3 ^' \: h- H* X, F W/ t
. i; X0 O9 P5 p, r) H9 X$ K8 ?
Method 11" B0 ~3 `/ e% _: t- ?( c: c& d
=========
* V! j7 P) i" m8 V2 \1 w( k
" [& v. R9 z, I2 ?4 y; }/ q1 w* PThis method is most known as 'MeltICE' because it has been freely distributed7 I! m; G) r& v
via www.winfiles.com. However it was first used by NuMega people to allow, u8 a- q' I% Z% }
Symbol Loader to check if SoftICE was active or not (the code is located* a7 ~# g' `3 f0 U: e
inside nmtrans.dll).
, c$ l7 d* ]( l5 u, L# T7 U- D6 t+ P5 T: d) |7 t. ], E3 n7 i
The way it works is very simple:( b7 Q$ o9 ?. G7 T, f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; Q: Y5 u( b( C: t$ P% CWinNT) with the CreateFileA API.
! J( N- z! K- a! o9 y* t1 l: w, o
6 b# i( Q! H2 [Here is a sample (checking for 'SICE'):; B6 F" w& f' q" m
6 S/ \3 ? M3 }8 F2 B
BOOL IsSoftIce95Loaded()
: [ |( `3 A! C# j$ w6 y6 F{3 j& _2 Y0 ~ K' x* `
HANDLE hFile;
3 q, z7 S9 K+ `9 @5 H; o0 I7 i3 N: Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% e) G) t& x/ N+ \* Z FILE_SHARE_READ | FILE_SHARE_WRITE,
& V9 [5 h6 f9 p( Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! e+ r* h$ i8 _ if( hFile != INVALID_HANDLE_VALUE )' Q. L. v& \; h; b0 ?! q
{
! ^7 M, O3 m$ Y& l J" V CloseHandle(hFile);
( N& c; O8 ^1 l return TRUE;! `- ~3 N6 v& H9 e7 U
}
1 ]/ l8 g5 f" m6 `* N return FALSE;: _ \$ \. k% V$ z+ D! w D2 y
}, D0 r7 A2 E/ h! L$ D; w
( g n S9 J1 T
Although this trick calls the CreateFileA function, don't even expect to be
! G* M' Z- e* m6 o1 ~- j" Bable to intercept it by installing a IFS hook: it will not work, no way!
" O) p! p4 u2 n6 K' E5 t1 EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( g: D+ J8 I" f' tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) B$ Z( p8 ]2 c+ \5 p* M3 L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ a" }' m1 t" v7 B& T' J
field.2 ~" Y0 [: a+ g5 O+ k0 D( w8 e
In fact, its purpose is not to load/unload VxDs but only to send a
7 F! p0 |, m/ M; FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); [% r o7 p" H0 P6 g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 l5 S, s- v6 s7 ^. L s# ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& o# w1 G* k; u8 o) O8 ~8 `If the VxD is loaded, it will always clear eax and the Carry flag to allow# M4 h$ H& J- N, U' E S/ _1 _6 q
its handle to be opened and then, will be detected.
y' ~: t$ w9 S+ {& R( UYou can check that simply by hooking Winice.exe control proc entry point# L, b) b4 y8 b+ n0 H7 N
while running MeltICE.
9 @7 i! k) u/ i! W) ^7 W# C+ C) z) v, C6 l& K+ f
! I- ~, f, k8 `* k9 B$ k" E0 ` 00401067: push 00402025 ; \\.\SICE" |7 f3 e1 x6 Z& u
0040106C: call CreateFileA
3 g- L7 H. S- D: q4 z# B' A 00401071: cmp eax,-001
?5 p6 p5 Y9 [% i) @6 T) b+ C/ t 00401074: je 00401091
' x2 c' f6 v, _1 x: [
0 `4 e; q3 ]: { U
7 t# B+ `! z6 zThere could be hundreds of BPX you could use to detect this trick.0 a6 p. [) ^" f; T7 |
-The most classical one is:5 k/ t2 @# C9 `6 A' f
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& }% q, [( m O( K/ c; B1 z" L+ |& D, H
*(esp->4+4)=='NTIC'
1 x8 [& z( R# U- M, T: N; s2 V# u4 J# ^3 o# _
-The most exotic ones (could be very slooooow :-(
# v7 a$ u w) x- ] h, m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) V$ t9 X8 \# H" [; q, o
;will break 3 times :-() h* a- j' @8 f5 Y3 u; b
, I% z i$ s; o7 Y-or (a bit) faster: ' z: v& ]6 k% Z, A2 q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% w5 ]; n' Z5 Y4 |: r, e7 h9 X) B2 K/ Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 q5 [! M" k' @8 w1 ?
;will break 3 times :-(6 G- E; v- \% `# V0 F. F* `
; H+ e; A* Q# O% x. C
-Much faster:
" k n/ H& l( p8 e; x$ i# X+ O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 t& D3 w. Z X# U2 ?# f; h/ j* q. O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. h a+ T7 q3 _8 T; O1 s) g9 Zfunction to do the same job:9 a+ W# I. K) Z$ F; k
- F9 }/ I* K' h7 \+ D+ S; M. i5 o
push 00 ; OF_READ
4 e# U' z; V' i8 U3 V mov eax,[00656634] ; '\\.\SICE',0) y3 t1 {- i4 S- u8 K! J- |4 j1 d
push eax
1 Q: V2 l# b+ L+ V9 n, X3 V i# f call KERNEL32!_lopen
( Q, _% ~, ]7 Q* s- B inc eax$ _4 c9 b W6 T8 n5 z
jnz 00650589 ; detected
( f& e$ Q% X+ t2 i1 m push 00 ; OF_READ
7 v [' y0 J3 R: R( x, G, f mov eax,[00656638] ; '\\.\SICE'
! y( O3 z9 c2 H7 q- {. D# Z+ T. T+ H push eax0 n1 n% X7 b' m: m2 g
call KERNEL32!_lopen
/ W: O+ T6 s t9 u, U7 T inc eax
- {/ P' X A& S# g% w, j9 S jz 006505ae ; not detected
# K( H3 t% B3 p& s, g1 {
7 r' h- K7 i0 A4 \% K0 o
8 \ t( h: y5 r7 ?% z' }__________________________________________________________________________
3 t6 Z' }- T7 R% W% a( t4 Y" N* K) N" F' k
Method 12
$ |0 | k$ }2 h5 T9 @- M9 p=========
% K9 _8 ~9 y; g3 ^& V8 Y, D
( [ N( y$ _$ X9 r7 G) y6 dThis trick is similar to int41h/4fh Debugger installation check (code 053 m9 t8 d6 U' _7 {3 S6 w e j
& 06) but very limited because it's only available for Win95/98 (not NT)/ @6 P" P$ w) |6 T- T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 T; X! c1 a! \7 u
( d$ S" ]+ b) j" p2 v$ b( e push 0000004fh ; function 4fh
* {; g; r" V \* g push 002a002ah ; high word specifies which VxD (VWIN32)* m% b O7 \4 b: s3 n: B
; low word specifies which service
) x; y+ U7 B# K* [, l (VWIN32_Int41Dispatch)
/ i* F! y7 J& {! @/ a. n call Kernel32!ORD_001 ; VxdCall
) z+ z+ h; t* H: C0 R0 f8 ^ cmp ax, 0f386h ; magic number returned by system debuggers
" J$ n1 j# @% e5 `9 S- L jz SoftICE_detected
8 _% M e! L4 U7 f( s# y
+ d; _7 U7 j6 ~Here again, several ways to detect it:
% v. {3 j4 O K6 d: L, A
+ G4 b7 O7 v% s BPINT 41 if ax==4f- k3 `/ v. n, W! H( o m% V1 ^
5 Z9 Q7 V% U" x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' p& r3 `2 G" r* u0 `; x% E: e% m
4 O$ i5 B) a5 {- `1 A1 Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 l: I9 `0 d, n8 ?+ Z
, H* U/ g, G$ Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! O0 J1 e& W9 k' w+ ^. d* j+ q. @: j: u8 a
__________________________________________________________________________
8 u5 v, L) |2 G, M9 f9 e) J9 B! f
+ ^: O% N3 R5 `3 i+ H" \& OMethod 13
! \- U+ B' r2 w7 X& Y; {! p1 e=========4 Y+ b$ U) M) k, v* v9 D" o& A$ J0 H5 O
8 e* L- g0 I2 ?& Y$ }. P. y f" KNot a real method of detection, but a good way to know if SoftICE is- t9 L" ` ]9 {) w, |
installed on a computer and to locate its installation directory.
% |7 A- J2 ~, ~! a* K0 iIt is used by few softs which access the following registry keys (usually #2) :
) x9 {, ]& i) o# |* \3 O+ |0 e( j5 b9 O" E; s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
R* ^# J( T! r\Uninstall\SoftICE
% Y" K# Y* L; B: y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% G8 Q2 m# ^0 f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 V1 f' O, L: e; g\App Paths\Loader32.Exe4 `; @3 p& W4 p- n* K: h/ ^; n- e; ~
% s0 b4 Z4 g! K: Q" }; ^
* O: p/ z# R+ K* L
Note that some nasty apps could then erase all files from SoftICE directory2 Q T. w% v) R
(I faced that once :-(
$ y5 g( L; ?$ i% L3 ~/ s
* ]* K0 b/ ^. CUseful breakpoint to detect it:0 m! V5 z: H6 T# f/ c* O- D& R
, H+ C) J8 N8 N! t5 h. U BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& R L6 d/ v# t( `! [5 V/ N
& |- G2 q/ g2 x& O5 c) j8 @__________________________________________________________________________
4 C( _- ?" v' C2 T* W5 b
2 }5 i# \5 s/ K8 q, C
; {" N; r% a& e5 IMethod 14
6 r6 L( q8 ]! F. X, H2 z=========2 P$ Q" L) ~& w% z: \3 A6 h
/ L. s# e7 ]( t2 @3 n+ }1 o+ {1 ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 Z7 l7 p* d) t6 E y2 z
is to determines whether a debugger is running on your system (ring0 only).
- p0 E# j% T# O' o
' x& G3 f8 G0 \7 p% }$ \ t VMMCall Test_Debug_Installed
2 ]3 s g1 L3 k je not_installed
; ^; [* w6 f4 Y+ T5 e$ s K; s- ~1 f L. N0 n' a& l2 X
This service just checks a flag.! O$ Z# L R# V j' I9 p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡