<TABLE width=500>9 t# Y' W5 n r( U9 U- m7 G5 o
<TBODY>2 e0 e$ J" i4 D; T
<TR>
+ t0 C% E2 H. F! c# @& G( Q<TD><PRE>Method 01 , F w% C/ _& [+ o1 Z6 |
========= o! }) g# p7 N
7 Y) {$ [% I1 U4 X4 B- ^7 ]This method of detection of SoftICE (as well as the following one) is
7 M4 w+ t# u, u) ?used by the majority of packers/encryptors found on Internet.2 T3 u1 p* S, }
It seeks the signature of BoundsChecker in SoftICE, {" D- p) z1 q1 i) e
- `# o" I9 `$ d7 D mov ebp, 04243484Bh ; 'BCHK'+ ~* C: ~* I' _7 M0 T3 P' n0 S
mov ax, 04h
! S( A- X+ i$ n! _* H+ N/ e int 3
, }9 h1 B+ I" P8 H$ o, m cmp al,4
0 k' e0 G, v" m; o- m' d1 u jnz SoftICE_Detected
2 g t$ g! @) D2 e) H7 H/ E7 [1 t& {* l
___________________________________________________________________________
' S! x) P9 S1 y1 o+ {
3 y/ N3 |9 d4 v% w( u$ S+ N: ^! x+ kMethod 02
( y6 @* y) q+ M' \=========$ S* V1 V, w5 N4 s
& c p6 s: D' O$ i$ PStill a method very much used (perhaps the most frequent one). It is used. T1 y% k/ @- s- v+ u8 V- k. D& e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ \8 i& Y* I; h3 V: C: @/ x0 ror execute SoftICE commands...6 L6 W, r/ `8 \4 |2 W3 h+ a$ G
It is also used to crash SoftICE and to force it to execute any commands
, S! T3 a$ p3 E; o, {(HBOOT...) :-((
5 k/ }5 z! A9 p" c/ ^) i2 P6 z
1 Y( y. y% e: O' jHere is a quick description:& \4 ~4 _% H+ N c8 l# s& l
-AX = 0910h (Display string in SIce windows)' q8 U# D% m" a2 g h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ O m$ @. }) O* Z. Q+ K
-AX = 0912h (Get breakpoint infos)+ q+ f. t5 I p. ~ ^6 ~* V
-AX = 0913h (Set Sice breakpoints)& d9 X' Y' s) K( o
-AX = 0914h (Remove SIce breakoints)4 ` e3 p3 G0 f/ R$ W
; s/ X0 M1 Y$ q9 A9 Z6 b+ G" [9 ~0 kEach time you'll meet this trick, you'll see:
$ i+ Q3 ^! _: J-SI = 4647h" r( ~$ ~% }8 N3 _8 D- ]) K
-DI = 4A4Dh
1 c8 V5 n2 b! Q- z" X" M0 C) r$ {& rWhich are the 'magic values' used by SoftIce.
@" T* o" l1 g# ^, Y; {/ c, K3 ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 }$ }! t6 @- c3 Y# o7 P6 E( r \& N: i$ Q2 y
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 K2 y9 ?' \# y; n+ u6 q* n5 v
Envelope utility use to protect DOS applications:
1 d% Z5 a& J6 Z; Q
) C0 `1 f5 E! u% n* O7 t1 W
8 I0 Q: s- j5 @. m3 |4C19:0095 MOV AX,0911 ; execute command.
, y5 u! E. o' y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! ^, r4 |* ]* z: c4C19:009A MOV SI,4647 ; 1st magic value.
; ^" z7 U! c& z2 u% Q8 J$ r9 q8 X4C19:009D MOV DI,4A4D ; 2nd magic value.' R d8 j4 H$ g7 x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' t+ I+ e& Z+ M# q- B5 F3 G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; R6 C5 k7 W* o! D5 C6 h: `% \: O5 m
4C19:00A4 INC CX0 l5 m( B, b0 ^7 h7 w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, Z% ?8 T" e/ L$ b
4C19:00A8 JB 0095 ; 6 different commands.
" z6 r$ g ]4 t" t4C19:00AA JMP 0002 ; Bad_Guy jmp back.. j z) [2 O9 A0 L8 p" k! c6 ]
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& M" H7 s) M4 P$ N
. T4 E$ d: F5 w6 Y$ }5 ^The program will execute 6 different SIce commands located at ds:dx, which. z$ @- p8 P# J2 O4 b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 L5 V" f; h- B# G% ^' Y; q0 L# L! m* t1 F# z- H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 ~4 A7 _; {( P' @5 u8 E9 S___________________________________________________________________________8 A) P$ n5 V0 A' Y
" Z l0 H- U3 ^/ y$ G1 k
4 Y$ `' Z9 Y: B* R8 {Method 03 ? d, X: r+ D4 Z; n9 t7 ?
=========' |4 Z. ~6 ^. M. q, N
7 H6 @) {5 z+ F3 `; A, jLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h |7 h3 K% z, M q* H. L3 ?' u
(API Get entry point)+ P+ Z- G; K; ^& E& z
: P" a+ t: K- e
: a! P8 T0 ]$ e- ^
xor di,di3 h, o7 Q/ d* V( h, M3 m
mov es,di
: ^/ \1 E/ F& K1 ]" X/ ~ mov ax, 1684h
% E# }. @, G- \; v" B* T6 [ mov bx, 0202h ; VxD ID of winice5 q* d( I& {$ [* }3 z0 ?9 o
int 2Fh
+ t. M% E3 \* ^2 q2 A' Y% Z0 O2 m mov ax, es ; ES:DI -> VxD API entry point a( D/ w0 R5 _( u
add ax, di
- w" b$ s: n5 {. |7 V3 _, X: b test ax,ax: R! w# u6 V1 b; P0 N
jnz SoftICE_Detected3 {8 p- d7 k: j$ o
4 P. a. r( ` s r4 t& o) z4 m
___________________________________________________________________________* V: f) w7 _3 r2 M3 E* k
) x$ g( z1 [, V: X2 A
Method 04' y' g; W, h; m) u
=========
6 R8 r* f: M! ]
. }2 ~3 O' J0 F6 fMethod identical to the preceding one except that it seeks the ID of SoftICE
4 o* {9 I; d" }6 h9 B% T$ mGFX VxD.2 w1 K; n5 a% F1 G- U: G* p
. d% X$ T, U9 d; ]' B
xor di,di
5 D& X* Q5 M2 F" ~# o4 K mov es,di9 w. _, r4 l9 _9 _, P
mov ax, 1684h
- O; m/ g. r3 ~, S; u mov bx, 7a5Fh ; VxD ID of SIWVID5 r6 h5 h9 }) f3 x9 @
int 2fh: \! V% j$ X9 S$ y& S
mov ax, es ; ES:DI -> VxD API entry point" _$ n: M$ F& S7 A' s: P- L. n) _
add ax, di! ?" G2 V1 M3 M j4 L9 P
test ax,ax# ]6 I6 h4 h2 s6 N+ b9 i
jnz SoftICE_Detected+ Z4 ^( Y. P6 k
+ }4 u7 f. @) H" l__________________________________________________________________________" M$ O7 u4 f6 v4 M; |7 o% a( ]
) i7 g j8 E; Y' `' u' J
[' @, d9 p+ t: L3 ` g7 MMethod 05
" x$ l5 [0 \7 N c" Y1 P=========
& i( L! z- s: F6 ^7 G& j. x, s( q- c( h. s
Method seeking the 'magic number' 0F386h returned (in ax) by all system2 A3 T8 @7 k7 M! h5 \. f- g
debugger. It calls the int 41h, function 4Fh.) r; t' E. M+ X
There are several alternatives. $ ~3 N# k7 _' G8 J
5 j$ m% s5 w6 r+ t, ]" vThe following one is the simplest:
/ r9 w m9 T- c2 @" ~
$ a9 s' V! x- u' X0 i. g; \ mov ax,4fh' x7 _9 Q/ I% h9 a
int 41h$ c, v! C- b$ m* I8 B
cmp ax, 0F386# o& X1 h' `8 ~' r2 _$ V8 @4 v
jz SoftICE_detected
& v6 k' o2 x+ C8 ]
5 `' s, Z9 v h8 H
3 x& h" W$ k6 ?; w- h& dNext method as well as the following one are 2 examples from Stone's / |: y- e- ^3 N7 H/ T, ?
"stn-wid.zip" (www.cracking.net):5 q6 t) f+ G4 e0 y% t8 W7 [
/ G7 k3 d0 J* ~ mov bx, cs
2 \) _, Q2 B8 \3 q: { lea dx, int41handler2
, d- F; S$ Y: {' Q( g9 M/ z xchg dx, es:[41h*4]$ ~0 \5 J7 b% g9 h5 _1 s. e+ y
xchg bx, es:[41h*4+2]
# E+ p2 q( P, B4 Q" k) _+ W mov ax,4fh
% }) H8 f" M2 P% t int 41h
) o# t* U. G: h+ O9 @% s% E0 c xchg dx, es:[41h*4]
5 {* w) s8 O: R) Y: Z1 x/ l xchg bx, es:[41h*4+2]: @: M! f: `/ }+ ]
cmp ax, 0f386h+ p& M3 e% g( q4 n5 F
jz SoftICE_detected
% R u& K. f$ e9 z1 u" {# d
/ _7 d: ]+ D& L; k4 {8 [! Vint41handler2 PROC
, O, `/ O& e% b# Z1 t( _7 p2 x2 y7 m iret
6 Q; A& Q8 C5 }( b) E3 w$ O& b0 _int41handler2 ENDP6 s) {2 g n) ^# ?5 F5 G. L
& E0 b4 Q* a! |8 ^6 R' E& k5 b/ e2 O: p) t3 L# P
_________________________________________________________________________! \* I$ C6 f6 _( s
0 _3 R% v* Q. B# w* Z, ^4 O* I
4 l! X' [$ U, f! m
Method 06
# C( P: R3 U; n( T8 G$ d- q% V=========5 f$ f x& n2 n7 [7 T1 k
& F' T2 ?" ]( d% R2 T
1 B; S) t2 N" k6 ]$ ~' q2nd method similar to the preceding one but more difficult to detect:
& H) t! T. K% @+ A* d1 ^% F
# [# m+ C9 P* w1 U9 J) v
: z' |3 h/ B9 V/ U& L$ P) S$ B9 uint41handler PROC
3 U& _6 T! [: g mov cl,al0 p+ |% j; h" e; {3 A$ j
iret4 _) q# G3 S$ o6 N: Y
int41handler ENDP9 B4 O5 |! N4 V6 ^6 M' l" H
4 i) o/ t- b1 B% w& r* z- b6 Y1 r# T' D0 A5 s7 O. K
xor ax,ax5 N6 n: G0 v0 C
mov es,ax
: d/ s1 U' m [2 a2 [7 L) r" C3 w' `7 R mov bx, cs8 b* z2 B' I1 Y2 J4 ~* S9 N
lea dx, int41handler
8 V2 n0 [6 o- y6 k& i0 I xchg dx, es:[41h*4]8 r+ H4 {6 ^5 Z. [
xchg bx, es:[41h*4+2]
) _% c* h, g. g- G/ i" W3 q2 N in al, 40h
! @1 C! h& z# K0 p% X7 S& O5 J1 | xor cx,cx
9 L m/ T! Q0 f( [ int 41h
& k1 K |6 ^! B3 e xchg dx, es:[41h*4]
1 I+ M6 J3 |9 x& u5 N xchg bx, es:[41h*4+2], r/ x- h* v9 q) m% ]8 g
cmp cl,al
$ u- ]% O4 A% @8 @3 v7 K! H jnz SoftICE_detected
* ^$ f( {" I, Z. M
4 r* g3 X: g% M' p_________________________________________________________________________9 m* L! R+ Y$ {/ X! W2 |! @
3 V V9 r- v7 S
Method 07! }! @) o' e- a8 y$ v0 Y* Y$ [
=========: k8 u& _ G& t3 v3 z' p$ \7 K
) @. }: g, U& u m5 {/ o& F# X! ?Method of detection of the WinICE handler in the int68h (V86)
3 d7 ~0 i1 ^& E V D, ~
: Z% @# V: o" ]5 @ mov ah,43h! P9 F1 Z3 e# v. g7 E) p
int 68h1 S/ M1 ^% _' G+ N( U
cmp ax,0F386h' u }( m' o; `+ }7 a( S$ n
jz SoftICE_Detected
8 }& R8 D! n9 [9 @( w# N5 ^$ y, J/ a; z8 k- ^' I
$ v M8 \) ^2 q# l n! Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 \2 _8 R( I( e, B2 K+ ?
app like this:8 t) Y$ Q% W5 u) f
: D! U: R$ _, s+ |1 g$ e: f BPX exec_int if ax==68( L- I w, x: f
(function called is located at byte ptr [ebp+1Dh] and client eip is
* {. v9 d% d3 D( Z% f8 E located at [ebp+48h] for 32Bit apps)
5 X: A% ^# g' d5 r# M' l__________________________________________________________________________+ u7 m* A: N$ p' [) u
/ u! r( z. ]5 x2 B% c# s( ^2 f
) W. c9 ~, m0 o3 aMethod 08
6 a) j) u; b8 q \" z; Q$ x6 H# D=========
0 ~/ C; L4 V O1 e& [; I$ K, k& J- D
' |9 h: b( y6 A7 _ ? u' v4 f: xIt is not a method of detection of SoftICE but a possibility to crash the+ F. u$ x' J% N i* j \% L
system by intercepting int 01h and int 03h and redirecting them to another3 m n5 n! ]" c2 ]3 c. Y8 R2 a
routine.6 V7 \0 Q7 e" K: v1 m! _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. J# L7 G2 O' a. j; v# lto the new routine to execute (hangs computer...)
& f1 I" ? d0 @& J r- g
/ p* R4 w) @7 W E X: v mov ah, 25h( D) q0 {8 ]0 P
mov al, Int_Number (01h or 03h)* \: F2 {+ g) \1 k' a: S7 }
mov dx, offset New_Int_Routine
; j" H, u! w& M Q! J int 21h) j' ^/ \4 E) U. Z; G, t: S* A" k
8 }# V- n/ Z! U
__________________________________________________________________________6 X! E2 J3 k& i0 P% B' ~ y9 G! p, @
4 q$ u& a* _2 N0 f. U
Method 09/ I. p$ L) {# W6 g
=========0 ?3 P. N4 I2 s# K' E: d' K
9 b( G6 L d6 s7 B& UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 |0 }& D! g$ }' \% xperformed in ring0 (VxD or a ring3 app using the VxdCall).
* s3 P0 R) K2 h1 w2 {! b& OThe Get_DDB service is used to determine whether or not a VxD is installed
8 G" D; o, U7 F# g& M# a$ o& ~# M3 @for the specified device and returns a Device Description Block (in ecx) for3 h+ `/ W2 ]0 n" H' g& U
that device if it is installed.1 A' j, b7 l4 L
w. `2 x# a( p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% E( @! e9 H' D/ G; B @3 r
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); P) k, z% v) @# z4 a1 ?5 U; S
VMMCall Get_DDB
4 S: Y9 p. s' o! ]6 p, G mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, q% w3 A- i5 [! v$ f
1 t4 {9 \3 `# A* L
Note as well that you can easily detect this method with SoftICE:: Z, k; x- |$ p5 {" `# B
bpx Get_DDB if ax==0202 || ax==7a5fh( H' ]9 Z' G; t8 u' z4 j/ _- B
7 X: P& y) j3 q( T% P& Y1 E
__________________________________________________________________________3 x k6 ~- ~( k
# ], |- l3 w7 P; T
Method 10
2 O; B. ?% M& ~9 N0 |=========
5 f- m4 z0 v- |* B8 P. o6 Y
/ V& v( \/ Q9 U4 W% q=>Disable or clear breakpoints before using this feature. DO NOT trace with
" H1 C( I# T& D/ \9 O SoftICE while the option is enable!!
; A, V! b- I. x4 ^) Q1 d% @! }6 M9 s3 H4 h
This trick is very efficient:! h0 o: Z4 L0 L
by checking the Debug Registers, you can detect if SoftICE is loaded
; f2 o" u0 e0 O5 L3 F* a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 A2 m- T9 C2 `2 z& R: p* a
there are some memory breakpoints set (dr0 to dr3) simply by reading their' O/ u; S- ?$ _6 G5 g/ K
value (in ring0 only). Values can be manipulated and or changed as well
4 S, {1 s {/ a9 v3 y! @+ X+ o8 H(clearing BPMs for instance)( ^$ u, P. n% z, a4 j/ @
% C6 i4 O) N- _7 @, ?* B i__________________________________________________________________________
0 `- s9 x+ z& }2 D1 ~' }" P5 A) S
* b* G: R8 u4 _- mMethod 112 {- p* b0 `) B" E
========= S& J. O& R( i5 m' h
- z. l0 h2 x1 `/ v8 l1 V$ B
This method is most known as 'MeltICE' because it has been freely distributed( ^& T% }9 z6 I* b( [ _. B9 E
via www.winfiles.com. However it was first used by NuMega people to allow
- \7 L& k( {+ s- a9 A1 m- {Symbol Loader to check if SoftICE was active or not (the code is located' ?6 V! N: d. f
inside nmtrans.dll).8 S3 f5 ~) Y) M* ` b* L% q5 B6 a
( d: }% _" i+ j( ?3 KThe way it works is very simple: n* F6 {. d/ S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( \, _% u* V9 v% J, \ c
WinNT) with the CreateFileA API.# |0 m# W6 m8 t/ {8 ]0 R0 P
! H4 C, |- W/ f
Here is a sample (checking for 'SICE'):. T( N; L0 a* K6 x
) F# d# X4 ~ s0 a+ v) O" fBOOL IsSoftIce95Loaded()
+ P; l' f6 B( V9 c{
7 r) `/ q, @- q {4 N5 f( p HANDLE hFile; + \( n2 U( L! n* s3 _9 G1 b
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 f% |9 W0 f3 [- z FILE_SHARE_READ | FILE_SHARE_WRITE,% M- z/ G6 i* L, f% O z$ Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: W H- k0 v) _; I( H( C if( hFile != INVALID_HANDLE_VALUE )
7 \ P8 d! H. z& Z6 E! Q {
. A! Q0 D5 N. B# ~ CloseHandle(hFile);8 m+ Y: R( o: ~: d/ S! F7 K+ g# I
return TRUE;
% V. t) w( V) o }
7 S' g3 [5 J* d* e' I6 |4 b return FALSE;5 h, ^' h" S y' ~1 e& h2 H# b5 [# p
}& r, ^: t; P) I
0 F+ \+ o) K# F
Although this trick calls the CreateFileA function, don't even expect to be
* Y7 K, {7 W4 u7 }able to intercept it by installing a IFS hook: it will not work, no way!
5 N! W& [" T, H! w, ]# \' A4 PIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 y/ j8 s s! Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# ^" [$ H. e/ d# r* O* e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ C9 A' N& a$ ?9 ^& e& \6 gfield.
/ v* z) g- q" W5 R- K4 M! SIn fact, its purpose is not to load/unload VxDs but only to send a
C( y+ x+ `' ?/ ]( f2 r$ U9 T, iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* ^" v6 n# a1 R% _2 j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* }$ q0 S* h8 h1 H( o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 n, j) A- U/ y$ b# ~If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 G1 K% j- u7 _4 I- ^3 eits handle to be opened and then, will be detected.
: _0 W& q. b5 U& ~You can check that simply by hooking Winice.exe control proc entry point
, A7 O9 Q. C2 U' |' Rwhile running MeltICE.3 X; x; G C* O+ v6 I* t
5 g0 @9 s- C5 i0 m* ^9 |9 \; H$ l
# ^" Q$ l1 B j* n
00401067: push 00402025 ; \\.\SICE
3 [* E$ A3 t2 `9 f0 K! U 0040106C: call CreateFileA
2 K9 r& b9 t' B- [: b 00401071: cmp eax,-001
7 E& ]. e/ ^" K, q1 b+ s& O' q8 v 00401074: je 00401091* [! W) {9 I- O. j
) B# }2 [- S( w5 G7 J- i
3 d# P7 O8 X" ]7 ~" Z1 o1 `6 G: KThere could be hundreds of BPX you could use to detect this trick.6 n- z8 Q9 m" n: B4 L0 W
-The most classical one is:( P2 _7 u9 I2 g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 R9 D! H4 `" _2 p: ^
*(esp->4+4)=='NTIC'! N" J# M, x5 b% p
]& r B* `2 L2 [& F" |$ f
-The most exotic ones (could be very slooooow :-(
|7 ~; _! _( O: C1 z7 r9 Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 C6 R: W% u/ G3 L. } ;will break 3 times :-(+ N/ m# I, n4 m. ]
1 o( u. W- t( a; Y0 M, `0 G
-or (a bit) faster:
( i+ ]# F! e; w. G3 Q1 @' H! B! Z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 B" N9 y1 E: ~8 u
- D% n4 w- q2 @( [5 m% A# Z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 z+ b o7 W! n3 u/ n ;will break 3 times :-(( S% N) `/ L ^
; U: K% l& y5 z6 @
-Much faster:# `. o0 S% r c A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
}/ d. T# N/ F) x! H8 b( ^% g1 e$ e+ j. }+ w" M7 f3 y! {( M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; L2 y* U1 T# Z% q7 \2 g* }function to do the same job:
# t' s4 k! p8 j' f. w! b7 L: U8 [0 C+ ^2 }% h: |/ k; j* [. d! K
push 00 ; OF_READ
$ ^/ E! h$ J, d$ k% h mov eax,[00656634] ; '\\.\SICE',0' o1 d2 o2 E& i( {
push eax! l3 [, j$ x+ b4 F0 }
call KERNEL32!_lopen
7 F0 T k/ J2 y) Z0 t inc eax. H3 B- U, d4 ^- ^7 v7 M& J
jnz 00650589 ; detected
% ^$ u$ q# e' f5 F1 Q push 00 ; OF_READ& U1 \/ G6 ?! ~( j0 c, J' b
mov eax,[00656638] ; '\\.\SICE'
' f$ o) b. i0 P- G& b8 ?/ s push eax( Z8 r: I7 F0 c- V
call KERNEL32!_lopen
7 ^7 |* z6 _/ q9 f$ h* C( l inc eax! ~, N0 s. i6 ^& m
jz 006505ae ; not detected
+ P* c: t' c6 J# T: J6 e- z6 z# l( B" B7 R' H" S6 _
- F% D1 y: G' x7 E O. k
__________________________________________________________________________
; P; E% N: S7 |; P- ?2 L# z7 s) s$ b/ L5 ]
Method 12
c( h7 {; h' ]# N3 D% f=========# C, r1 d ?% m% L+ t5 x& y
! Y1 f) d5 a1 O; R0 G* _( d
This trick is similar to int41h/4fh Debugger installation check (code 05
. P# m0 D% I, e% I3 ]# n& 06) but very limited because it's only available for Win95/98 (not NT)
- \; O; g& c% Z& F' c- U& T4 \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 |6 W8 H% j. C: U/ S( Q
# M+ n) d8 J9 E+ k# m) [ push 0000004fh ; function 4fh
B/ J4 W8 `; m; b push 002a002ah ; high word specifies which VxD (VWIN32)
0 U+ r1 C% h/ J( f4 ~/ w, J ; low word specifies which service
5 G {' j6 R2 Q3 ~: g- p (VWIN32_Int41Dispatch)2 d. k5 k5 |! W' ?
call Kernel32!ORD_001 ; VxdCall( _. L5 m1 @% o1 T! g5 P( o/ r
cmp ax, 0f386h ; magic number returned by system debuggers6 A0 D& \* I% O7 Q
jz SoftICE_detected
$ @, b: h2 _& y- y0 v) W- H7 t" ^% I4 B% y: ~
Here again, several ways to detect it:, K3 `* o& q- ]+ G
1 R0 B" }2 A: e; q. k7 `
BPINT 41 if ax==4f1 ~) @( {+ e$ [# r7 q
8 s: X- e" }) P; D6 L( G% u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% K$ G7 q! u$ |( e
0 o# M# s$ ~1 ]3 g: _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 }/ }- m3 J, j/ o
8 E8 s# Q x& {9 W. q% X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 q; P* i+ T1 }- k# {! H2 X) z
2 ~6 Z3 {9 ?- k$ Q* Q1 {$ S% N__________________________________________________________________________$ g. @/ u0 G6 \% _" g$ u1 o
* g$ M+ _8 ~5 |) q8 f0 KMethod 13
# p/ Z6 z$ a% y=========
8 k$ ?( Y( \5 c! A
+ N4 R) a6 n0 D9 I0 I' {2 V8 vNot a real method of detection, but a good way to know if SoftICE is r x" J I! @
installed on a computer and to locate its installation directory.
& C- j' y- r7 S1 uIt is used by few softs which access the following registry keys (usually #2) :" \: G5 e; o# X9 v2 n# _. v
1 T9 N) F6 B* w F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 _# t- S5 z: L$ a- f3 H. [\Uninstall\SoftICE5 `- u: b+ X5 t( X3 v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 l" q( [# W6 s7 R2 h9 D v: }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 x4 q: I+ u" k6 X/ d9 N\App Paths\Loader32.Exe5 ?" }7 Y( x! d& z
- Q1 W/ c7 j2 j
- T3 ~2 U' G8 R' ONote that some nasty apps could then erase all files from SoftICE directory
Z3 h* X9 W& R# u) J(I faced that once :-(& h* a, |; l0 O3 U+ b9 M& H
3 y5 A+ I3 V- f" ^8 k2 _( y
Useful breakpoint to detect it:5 M" c: v% {& i' O, | k
5 i3 [2 l+ B: r* O: A BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; w8 i5 |& |( i) d7 G I
" v5 t& u% w/ e. Z2 f
__________________________________________________________________________* f/ F: K' u m; I1 K3 v
0 z3 g2 Y8 H1 F9 h5 W* Q5 ]* i
: X/ f9 t L8 t6 |' O. }
Method 14
/ p. y$ p" |8 {! e* Z$ z6 R, H=========0 ^/ D1 ]4 g' |6 {9 T
2 o) }" ^; f* _/ z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ T" s5 C# }( i# Kis to determines whether a debugger is running on your system (ring0 only).
# P: q/ e' ?) O; U
/ Z7 Q* Q M& |& H z VMMCall Test_Debug_Installed
. y6 S3 r# n3 l' r: e je not_installed! T1 `* A( N4 `- j* d
: I$ o$ f0 A. d0 R' mThis service just checks a flag.1 |: z, h0 {7 h3 P m6 `3 B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡