<TABLE width=500>; ~) C$ `4 ^5 |. G3 `
<TBODY>; |" d3 L5 u3 A. r! d3 S/ Q0 Q' K
<TR>6 L& m- [( F7 ]9 E+ h
<TD><PRE>Method 01
" U/ H3 H5 J" j# ~6 R5 b5 p=========2 l+ ^7 _9 O& J0 B1 T" a
" E$ T4 _5 D5 d, ?0 c; x# b
This method of detection of SoftICE (as well as the following one) is
; H: {" E* q2 o, b5 m- T, oused by the majority of packers/encryptors found on Internet.
; ?8 j5 ~# k; c9 hIt seeks the signature of BoundsChecker in SoftICE
& Q4 ?) h5 Q L, `3 ^& I {* o
$ z6 B: u. }, }1 \! H mov ebp, 04243484Bh ; 'BCHK'# X& d5 ^, s. t' B% H" \
mov ax, 04h6 q* a! ?3 K4 @3 T
int 3
. w* ]; ^8 N& t4 S cmp al,4: M# k3 g% _ e7 H, w
jnz SoftICE_Detected* ~" \- o3 L# f- K) \& s
5 e2 k; Q/ w7 H5 E
___________________________________________________________________________& O2 l2 f9 E* a5 @' O0 [9 Q- l
6 T+ g% Z7 _/ j, N
Method 02& Q% k0 g+ K4 k6 O
=========
3 p9 |6 b& i! ]& x8 ^* C J9 W" f2 }/ t
4 S$ F' F' p' _Still a method very much used (perhaps the most frequent one). It is used3 w, c6 z3 ^, w. n. S& k+ w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 p6 k- O$ |. q( W d7 R) g O2 h6 for execute SoftICE commands...
8 J& L; K7 E& E8 F1 AIt is also used to crash SoftICE and to force it to execute any commands# W H- m v' R* ^
(HBOOT...) :-((
% r- K+ _9 w2 I8 _: ~+ c9 s$ r2 ^% b: {. m: @: d
Here is a quick description:" _: _1 N1 [2 O7 L6 P) k
-AX = 0910h (Display string in SIce windows)0 M: Q' m) y- m/ z1 c/ E9 V
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- Q2 X) N5 p% P-AX = 0912h (Get breakpoint infos)1 y/ B; K* G% B/ N. R
-AX = 0913h (Set Sice breakpoints)7 ^6 n1 O9 b2 h+ k
-AX = 0914h (Remove SIce breakoints)6 X6 I3 k" U e, n
4 K! d: K: [7 V/ H& r2 g1 o
Each time you'll meet this trick, you'll see:
+ g' }2 p: P* e N1 F-SI = 4647h6 [" @9 Z# C% i1 K1 V
-DI = 4A4Dh
8 a: u" `: L# k* sWhich are the 'magic values' used by SoftIce.
1 K h9 x: k0 [1 U- r) b1 c IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., O$ A7 |7 i7 |) t, j' B
% j, ]% b0 d! rHere is one example from the file "Haspinst.exe" which is the dongle HASP
! }) a8 @. h/ zEnvelope utility use to protect DOS applications:/ o6 T8 q5 f, u: Z5 Y3 P1 n) ~
1 L. u+ m% `8 _0 e7 K3 n
. Z* b# ^0 i1 Z" D$ U1 x# L4C19:0095 MOV AX,0911 ; execute command.1 b9 [7 e2 J m2 s6 z- w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 x" x7 _5 U: q; o
4C19:009A MOV SI,4647 ; 1st magic value.; J6 u" I, l$ v; r: a/ _
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ r; @* W% K. b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
Z- { d( n+ e! x0 L8 O" D! \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, @8 o: |- N# |. w$ G/ O4C19:00A4 INC CX' x! d$ I+ M; {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 q/ _8 _# g0 F" R0 }/ P( u: V4C19:00A8 JB 0095 ; 6 different commands.
0 y0 g. z7 S! s% S# t4 p9 c: ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# A- {" X$ Z7 L4C19:00AD MOV BX,SP ; Good_Guy go ahead :) |1 O$ k& {2 `; f; Z5 I
; b% H" M m1 U& T& r( u% ^' ]; ]
The program will execute 6 different SIce commands located at ds:dx, which @- x3 i( g8 N% `9 p2 i# `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& U2 l8 n0 ~8 J# G4 v& z5 z
% B2 {9 o, M( {* @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 ]9 s. n- b- r( {___________________________________________________________________________
. ?' w. r: L. h, t: h* A
) c5 Q+ K( m3 @/ ]- l- P9 x# g( D5 @. `7 i# U C3 B* S
Method 03
6 n. r; X$ O9 X3 E========= f& s3 u- Y5 E
% Q$ Z; |8 i+ b! W" u8 C2 ~4 W- vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ G& }: o N. v1 h
(API Get entry point)4 _+ {' e% s# F1 v8 V* `$ ]
* h0 I3 V" l+ }7 ?5 P7 K( g
9 `' Q6 B( ~2 |& @# T# n xor di,di. M* T' h y: c
mov es,di
% L9 g' y1 U$ J i mov ax, 1684h . y. S0 v/ w- r+ w% P: R, [
mov bx, 0202h ; VxD ID of winice
! c4 m* Y5 m: B int 2Fh0 [5 u c8 n+ k5 j0 Q
mov ax, es ; ES:DI -> VxD API entry point
: ]% q$ Q, _( p4 n add ax, di$ a" }5 Z6 C% f( R
test ax,ax
; B4 s X) h8 G jnz SoftICE_Detected$ H5 U/ I4 c+ [; B, U' d
$ R+ l: j! C3 i% `- M* o2 [8 T" Z
___________________________________________________________________________
" [3 i4 S6 u2 c' i0 a; M8 M" v5 j) R1 g; Z6 X
Method 04
& S& y; l! @% `6 @========= i' P% h$ M) O, y, X: N
* ]1 _; W" t6 ?# @$ S* N4 [
Method identical to the preceding one except that it seeks the ID of SoftICE
; H& G/ {8 x2 FGFX VxD.$ X2 L% g% x$ q, g" C
2 p3 i1 l0 D( ~ xor di,di
$ l% e+ ]' N. s mov es,di. Z) X2 o2 A9 V1 E+ F. R
mov ax, 1684h
; C6 q$ N9 T: K mov bx, 7a5Fh ; VxD ID of SIWVID2 Q* e& n: C% Z+ w4 z' `
int 2fh- r: e' o9 F( P: I0 Q5 ~. D
mov ax, es ; ES:DI -> VxD API entry point
) G4 E m0 v/ H add ax, di6 A, [* a+ U" ~$ P$ Q
test ax,ax+ r% U3 Q! W: `* B/ j9 F: j
jnz SoftICE_Detected
4 Q4 |' I4 ?5 L/ d: z5 J, `- A) u+ m! L2 Q9 [; j7 Y
__________________________________________________________________________
; `3 ]- g- t* {$ P- N. ?4 t" t- e9 ~$ m" S( b! r5 I9 U* `
6 V( a3 f8 V* Y& e. F; }9 mMethod 05
! c- F- K7 h3 i( q=========! v% m0 H( w* u$ \
2 N2 f. @7 l7 |( H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 O8 L2 D! h2 {9 h$ Z. {debugger. It calls the int 41h, function 4Fh.
, I4 {4 d. I3 u. ], IThere are several alternatives. 8 B. J/ H) }# @7 Y4 o0 W
9 \! o! L; |! Z) q
The following one is the simplest:1 l+ G8 [( l( _$ b/ Q2 t% @1 S0 h
( E! {6 A5 ^- u mov ax,4fh( S: p" r4 |0 ~* [9 v+ g
int 41h
" [! [3 m5 l6 p/ C cmp ax, 0F386
+ q, B1 W* H- |, A) h jz SoftICE_detected
. Z7 C' H* @, @8 b! j; m! G' P* t3 _# z- }* Q
8 w$ {1 C; @6 W- @1 @4 f9 h7 q8 G
Next method as well as the following one are 2 examples from Stone's # G9 t8 L( K' |! F/ T# L9 \8 a
"stn-wid.zip" (www.cracking.net):9 C+ |" S$ }( P8 u
& t9 M P/ @" I$ u7 {, P. u: D
mov bx, cs& P' Y$ {! C) c3 [4 _& w! X$ m" E
lea dx, int41handler2" e- j3 s$ M1 J* R' d8 g1 P- k) w
xchg dx, es:[41h*4]
. S+ W) b1 [4 E, I5 Y# ^ G xchg bx, es:[41h*4+2]5 Q1 O4 S, Q! D j5 ^' B
mov ax,4fh: T, B# c) N. R: I- f0 e* R- i
int 41h" }& Y) r V2 c1 W& o
xchg dx, es:[41h*4]
+ `7 Z& ]) l5 A; l9 y4 t xchg bx, es:[41h*4+2]4 L R2 X1 M& x% V& w5 A3 M
cmp ax, 0f386h
- o$ b4 C7 n* U8 L- ` c jz SoftICE_detected
; r5 |5 {' u8 }5 p# S
5 J; ^+ J: ?0 P% Q2 ?0 j# |% Oint41handler2 PROC/ x9 P- c7 Y" w. M
iret
2 p* u2 o, n: g5 _; C1 l2 o0 Dint41handler2 ENDP
: R& b# m5 v& f9 q- Y. i+ d/ t' D: n% g$ ^! \9 v9 v
0 A( G- J2 d9 _& J, l' n) M, t_________________________________________________________________________
b3 m R6 c) o9 u/ w
7 a& M& l6 x2 p& [/ Q. O3 a
; c" _- `, N$ @4 l$ q; D9 @7 S+ {Method 063 `& o- m$ G1 O8 O
=========. [& q# Y% T; X9 q( ^1 N
( O, f7 t6 O6 Z% f" E0 M9 u
( ?3 @% e! j* M$ b1 d
2nd method similar to the preceding one but more difficult to detect:2 O+ [# X3 v3 B4 f/ ^# l
0 J e3 t' l0 {8 l, O: {7 I9 Q
3 o0 t) |+ ?0 L T* W; ], kint41handler PROC
, Y9 w+ W: z5 q7 C4 o; B7 S9 M mov cl,al& k. ~& y4 b, b( T* q, J
iret
9 {$ `" C% Q; ^# ?0 sint41handler ENDP' [8 w" k+ X' U$ N1 K* K/ i: h+ `; g
t) J1 q# a7 K
; y, V% G0 V9 x xor ax,ax' R5 n5 n" }! ^1 m
mov es,ax
& \0 v3 u, z. r& P mov bx, cs* b; [. x9 _2 ?* A: r' E0 k4 b
lea dx, int41handler! m8 f8 W5 m- o `, A8 \
xchg dx, es:[41h*4]
, n$ @' Q; w/ H5 }" o! \1 h# F- C xchg bx, es:[41h*4+2]* y4 M [( @3 s. q. }. F
in al, 40h2 P$ p9 D, T' ` |
xor cx,cx
5 J) D5 [7 ~% ]3 l" E int 41h8 J e" `& q/ s
xchg dx, es:[41h*4]
2 O1 A, o- `1 L# @( b, j" Y# o9 O xchg bx, es:[41h*4+2]) I" V$ k) z/ u4 e
cmp cl,al+ z4 v1 J* c1 b1 e
jnz SoftICE_detected: f j! F8 v) O/ o0 M* ~" K- g
( p1 t5 }) A6 N, J A* C, P$ w) g" d. A_________________________________________________________________________* _ {4 M# Y, Y" ~3 F; L
6 P0 u7 C# e5 e( x2 ?" r3 D( l
Method 07
# |. R3 |/ i6 u0 s6 b=========; G0 o$ a! c# I9 w
# _$ G/ b2 s$ d0 xMethod of detection of the WinICE handler in the int68h (V86)' y5 K/ m. a0 W$ j0 F
" |/ P$ D( s& ^3 W! d# }
mov ah,43h) H* I! g* x/ e7 M
int 68h
5 z0 n7 O ]4 L$ @( l7 |; q% l$ ^ cmp ax,0F386h0 K1 ]3 {3 ` V+ t; W' t$ N
jz SoftICE_Detected3 l2 b7 G' M) F- K
8 A0 h2 |5 R. d. X1 Y1 ^, d; T
9 N. v8 ?( k% g2 ]% W8 l0 v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 s7 h) U: A. X1 Q- I8 |4 l) V' h app like this:
; u& x# P+ a2 q6 U6 e4 X) R2 b. Z6 K& J- Q* l/ Q
BPX exec_int if ax==68
! u8 ?& w; O7 F% E (function called is located at byte ptr [ebp+1Dh] and client eip is; {! z& u# c/ @2 H
located at [ebp+48h] for 32Bit apps)6 A+ n- C: N0 Q( H [* D
__________________________________________________________________________
, h; w+ ?0 z! s# I5 a
! O+ L3 Y& m5 |
: ~ {; E* m7 g8 g FMethod 08
& W0 O$ c/ ?- n- D9 m8 A6 g: ?=========
, A2 ~( a. Q7 t8 y% W# P6 u: O+ u# x5 B7 ` X
It is not a method of detection of SoftICE but a possibility to crash the `+ F! T6 E1 a8 n7 l* P+ z
system by intercepting int 01h and int 03h and redirecting them to another
- {. b0 |# [9 b5 d# i1 D* Droutine.' Q: [) ~7 K B) M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 h D2 H* p/ H* G/ i2 I8 D
to the new routine to execute (hangs computer...)- f4 g" D* S7 i7 M1 r
9 u3 H1 q6 z# h2 X* l, \7 ?6 k
mov ah, 25h
# H- k/ J4 P" U5 `0 l1 X/ j8 t mov al, Int_Number (01h or 03h), A& U3 [2 R: U1 |
mov dx, offset New_Int_Routine4 }; i2 r( d7 J( _& k) m) a' P/ b+ @
int 21h
0 f1 n% p& T) _ s. w! I& z' N# W* e" f$ {- ]+ u
__________________________________________________________________________9 ?- A0 }+ R3 _; D; [2 {
3 k5 S: u/ L$ O9 B3 QMethod 09* N* O' w6 n& u7 L4 m
=========
; m) f0 [2 ]% P; G. c
" Y# O: d! ] ^+ T; N( tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. ~0 `. I; D6 R! }3 x
performed in ring0 (VxD or a ring3 app using the VxdCall).; _3 X8 I2 _8 b# i5 u
The Get_DDB service is used to determine whether or not a VxD is installed
& {# z3 n! c5 _- m0 ^4 Q6 hfor the specified device and returns a Device Description Block (in ecx) for8 r5 e( x7 O4 A) C! `8 l: _8 Z1 l5 ?- V
that device if it is installed.
( s" r" N$ T# W
6 F, c9 N! S* n4 a" s' X) s+ d) H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 C; I9 Z- Z. {0 d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& L- m# I6 ? ~' R! w VMMCall Get_DDB) B! |( h+ Z2 a8 b- z& Z- E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ t( ~4 |3 Y4 v3 z- u1 Y
k1 \4 p1 m& _ U& S4 Z u' [3 WNote as well that you can easily detect this method with SoftICE:# e. \: _! y" x9 \3 G6 F
bpx Get_DDB if ax==0202 || ax==7a5fh# A- `5 g' g: W) r
: P7 `: x( y/ H+ Q/ ~8 d__________________________________________________________________________+ v. }0 T( | D5 U1 ?- i5 w- d
6 w6 B! |7 W5 U0 r" c/ D
Method 10' C7 ? ]+ v, [( m" L
=========9 l7 ^: \7 x0 C9 X9 o: K8 N
' E4 A$ w" ~( G' l7 e- E7 u/ N) |
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 n* b i# y3 F2 k( [ SoftICE while the option is enable!!
6 N4 F# _8 M/ L* e; j& @/ [* i$ R: S k* M
This trick is very efficient:( ?. v# w9 Y5 n; u
by checking the Debug Registers, you can detect if SoftICE is loaded* s! w/ `3 o8 ~ U5 [6 h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# v& V* h# b" W6 X7 mthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 e- s! Z! Y O! H+ G
value (in ring0 only). Values can be manipulated and or changed as well
- Y- h* Z: G$ ~& E# R- l' d(clearing BPMs for instance)
# `* {2 C1 ^0 b- ]1 \+ G/ p. I P& S, W
__________________________________________________________________________9 j& W4 {4 p" P: D5 D0 T1 D
3 F+ c0 {9 e! ]1 A- i6 RMethod 11
8 M2 T3 \' z' E, T9 h; ~=========
/ `. f- ^, q8 ~! b. i- p5 I, i+ `$ n/ `" K9 g" C. W: n( l; H
This method is most known as 'MeltICE' because it has been freely distributed
' g% K* V* O$ B2 zvia www.winfiles.com. However it was first used by NuMega people to allow
4 D6 Z% N7 y8 D6 G1 U) oSymbol Loader to check if SoftICE was active or not (the code is located
& {# d; [1 Q. Z( |inside nmtrans.dll).
6 k! o4 k: A1 k1 x+ {
E/ W1 F- d7 Z; q3 A# MThe way it works is very simple:" n4 ~; {, L% \& k# S1 E S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 e6 F. c2 L4 n$ s0 r2 k5 RWinNT) with the CreateFileA API.4 g4 x$ @+ d+ P5 y1 }
/ f) M4 E w) l0 k- r$ YHere is a sample (checking for 'SICE'):' Q) ]7 T' }& D. K/ v/ }2 T! m
( _. E8 ^# l5 \: P$ b" E1 tBOOL IsSoftIce95Loaded()
) w) m, w% d( b- ^2 T{
6 u( H! s* [9 Q. s7 `4 b HANDLE hFile;
' Y* G+ _2 C& }% s7 n2 T1 b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: A6 U7 p1 d; N4 p6 I) d9 o: t
FILE_SHARE_READ | FILE_SHARE_WRITE,- r' n: Q6 F4 W: q& I+ b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ v+ [, s3 h) F
if( hFile != INVALID_HANDLE_VALUE )
0 o! p% [4 d+ d% @8 ` {
3 l% t/ p+ U- j+ y6 W6 g( p CloseHandle(hFile);
l5 I4 R+ m: Q N6 l. [ return TRUE;& p+ _# T) b3 z b( G$ n4 W$ Y
}* z2 S8 b" ^! t( j4 o) H" |7 O
return FALSE;/ M- V( t3 G' t1 Y$ I! ^4 D# _
}
- ^/ A+ o' n, a1 }. [8 g5 [. Q+ U* I' z) M3 U& c1 \1 ]6 ?# c2 L
Although this trick calls the CreateFileA function, don't even expect to be
8 G/ k& M$ S! p& q/ kable to intercept it by installing a IFS hook: it will not work, no way!! o$ U' T6 C8 k* D) { i W$ _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 h x3 R' j1 q7 f+ y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 N3 C+ W" m3 b! kand then browse the DDB list until it find the VxD and its DDB_Control_Proc: m1 Q3 |6 ?# r1 J: M* S, d0 c- }
field.' j- u: o1 M* c- ~8 ~
In fact, its purpose is not to load/unload VxDs but only to send a
; D4 F5 ^( L! q, @# r, {* kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' B: S) S$ n7 e" z5 f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# O; x# u7 B$ z9 Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., v3 x0 g2 G3 K5 H' C6 c( S
If the VxD is loaded, it will always clear eax and the Carry flag to allow( |% ^8 b% I$ S* I* a0 p0 G+ p
its handle to be opened and then, will be detected.. a* S' p$ r7 \7 R4 R- W
You can check that simply by hooking Winice.exe control proc entry point; e( @$ u$ m! F) T3 }' \$ D
while running MeltICE.# H, S5 n% ~8 f. c1 f# n
+ G. l7 B7 b& P/ O6 J# ]" |% Q
! R+ [3 F" l) E 00401067: push 00402025 ; \\.\SICE% E4 D e6 v% F6 Q2 W
0040106C: call CreateFileA7 _" Z1 R0 ~0 H$ P
00401071: cmp eax,-001
5 A3 `% z* F5 C. J( T: s 00401074: je 00401091
7 b2 {- H! `, g+ R% u) L+ g9 _, {7 b6 a" E; o# Z$ L
; n \0 F( @0 `3 V4 ^There could be hundreds of BPX you could use to detect this trick.8 y( Q- q+ B$ \/ w9 l
-The most classical one is: ]# Q/ X' O& x) F: I6 o [# @- Y2 N( }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ ?6 t9 M: l$ Q, O1 y+ g, w
*(esp->4+4)=='NTIC'
- D5 \: \ B6 M- ]7 a; c' T' L, s0 F) ~
-The most exotic ones (could be very slooooow :-(3 o- O5 l2 s! G( ]3 ]6 v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 N8 q( z0 M8 z4 F$ M, l7 p$ O
;will break 3 times :-(/ i1 w2 v9 @# G: V4 j. N7 u; p
6 r, q1 z$ t* W
-or (a bit) faster: & C% q) t& L8 s1 b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): C5 ^% {: d1 a4 a
V9 i, F% n0 Y7 \) v$ V/ S BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 O( S7 y9 O' S8 D
;will break 3 times :-(
* r5 d0 r! Q% D# K; D, b
3 D0 Y5 H- ~' R8 T. X-Much faster:+ C" N( q" m* M# z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' Y! E m( F; {: C; l+ W
" M Q, j5 V' k( Q2 Y5 N( }
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 {, j3 r1 m9 Q( P8 afunction to do the same job:
1 k! a4 _; Z1 J' t3 c% E5 N( `, b* l. o2 f1 t6 h
push 00 ; OF_READ
4 S( Q. a: R7 ] mov eax,[00656634] ; '\\.\SICE',0
- C, t) c$ X# s8 d push eax( P& \0 t/ J9 w" F
call KERNEL32!_lopen# @2 G; q, h0 o4 c+ f
inc eax7 d5 L6 t! p3 [: Q
jnz 00650589 ; detected
# f' S" ~6 y- V push 00 ; OF_READ: u& E$ }# M* X
mov eax,[00656638] ; '\\.\SICE') X% \" S3 I. e5 a2 G- P, A, Y
push eax
3 v7 w0 R. f+ [* Y3 u call KERNEL32!_lopen1 J0 |* N$ V% @- w" x
inc eax
9 h7 ]$ @$ N1 \ jz 006505ae ; not detected
* I6 u8 T7 x, A! k
0 l' P( {. t* ]9 B: R, t9 w1 P W% x/ s Z+ L
__________________________________________________________________________
* E- I" O0 C2 e+ ?9 K k3 U. t7 l, S1 S9 N* w O
Method 12
% q; d" h/ x" k=========1 j2 h8 G- B+ n
% s9 R% i+ h Q& q4 |% t" M5 lThis trick is similar to int41h/4fh Debugger installation check (code 05
+ Y0 p6 l! t2 S+ V' o& 06) but very limited because it's only available for Win95/98 (not NT)4 r) ? w3 Z! V4 {* V5 M; R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 F$ F6 V, V6 s! O. X% s+ r) w( s* d7 {6 H0 s( ]
push 0000004fh ; function 4fh) w' H, b/ N4 `- N
push 002a002ah ; high word specifies which VxD (VWIN32)
8 X% `- }* I) w4 o9 L" R+ ~ ; low word specifies which service; B5 ?. m e5 K' I. g' X4 N
(VWIN32_Int41Dispatch). Z# \! m1 {& V9 m( d
call Kernel32!ORD_001 ; VxdCall0 i# T0 x5 ~ V8 A4 _4 }
cmp ax, 0f386h ; magic number returned by system debuggers( F9 J- h" I+ C \
jz SoftICE_detected: n3 W* k: z9 ?& c, o
$ R3 f' i/ A* M0 i" ?# UHere again, several ways to detect it:
% n4 T& Z0 e5 y% L+ Q! H$ U& y! Z
BPINT 41 if ax==4f2 [0 t N* k% [6 D4 ^5 r0 t
1 _9 v8 m J- B$ y6 U8 I) ?' z+ Q9 S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ l6 Q/ T& g9 |2 N) n) i
( z3 t5 |7 R5 [) t; N; f5 v" S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) d0 |6 J; u" N
0 _" H/ K# U. k BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 v/ M2 Q) F7 K' x) x: i4 C2 v) ?
, m* }. J5 t1 L__________________________________________________________________________
) [2 ~. Y$ r& \
1 `/ v% O/ K* e; d( h! r# K- eMethod 13
" {- L, a' F$ |! d- v; H: e; ?=========
( z; V7 q9 `6 ~- K! j1 j! G0 E
: U$ E0 O+ S: C: yNot a real method of detection, but a good way to know if SoftICE is* g& Z K: u5 C
installed on a computer and to locate its installation directory.
3 B8 v# B y" o( F' kIt is used by few softs which access the following registry keys (usually #2) :
+ q) N- v# o8 a) G, ?9 j9 {& ?3 h5 Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- E$ z! C& E; Y9 A& s6 ], |7 m$ C# F
\Uninstall\SoftICE
2 D0 k+ v( P+ p2 ~% R; v w4 U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ u5 T% y4 K* J7 [. a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- F! A: U! Z9 F9 C. R
\App Paths\Loader32.Exe' m( d5 `( j9 {: ^8 e. w9 A0 i
+ {# a# C m% O" W! c8 x
$ _& q! m2 |$ x! J; V6 C
Note that some nasty apps could then erase all files from SoftICE directory% k* X2 v3 E' y7 ?$ ^4 u6 X6 {% B
(I faced that once :-(5 ^2 w- E" O% y- a3 }% I# |
6 O0 ^& c8 N" ]
Useful breakpoint to detect it:2 p4 |. J. k9 ~. d
9 o3 F% ^ f: v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 z( S' u# f$ v0 s N$ O8 D3 S% y; Y5 M- v" i) t
__________________________________________________________________________* J2 E+ d) F ^, \2 L: w
5 { \) A% q: m" T `% `
& R+ B& K( @! o+ y! t& ~2 P
Method 14
; M4 d$ Y( J' e+ c=========' r8 ^: j# s9 P8 S! q% g& T$ W8 q
3 f0 ~, L$ j. c' |' _; y1 N) x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 f$ t& E& P; P+ j; U% B
is to determines whether a debugger is running on your system (ring0 only).
& o- n e/ w0 ]' V2 E
' q! d3 J3 n7 r' f VMMCall Test_Debug_Installed
" R3 `; v7 W2 D2 \, |( A% \ je not_installed
9 d9 ]* e& D5 Z/ s9 J
3 w6 L) O: k: h5 t3 ?2 v4 |7 {2 GThis service just checks a flag.+ g& t6 S& N0 ~
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡