<TABLE width=500>( r5 Q: ^4 t: K8 K: Q$ X5 `
<TBODY>% V" a+ M: v _( `
<TR>
# ?- }/ }1 N1 h8 O. }0 J, r3 j<TD><PRE>Method 01 " w6 |8 P) s$ k$ z
=========5 |1 g2 x# J2 `' V
$ c. J6 Y. o; u( F u$ `4 pThis method of detection of SoftICE (as well as the following one) is- v8 f& Y' ^0 @& g7 N! R
used by the majority of packers/encryptors found on Internet.
- q$ ]) B4 v/ R$ qIt seeks the signature of BoundsChecker in SoftICE/ f2 Y: ~ P3 I
5 R; e) i7 _2 X3 R* {1 h mov ebp, 04243484Bh ; 'BCHK'- S5 `6 E* O6 C' z# ]) y# _
mov ax, 04h
1 A, @+ _3 s! D6 i int 3
8 A5 n8 m$ v! v. j9 p B cmp al,4
! `; p- S% U# c+ V+ a jnz SoftICE_Detected
# E* a+ ~5 e8 Q% N( o7 E, a! S( z( g! _: `6 U
___________________________________________________________________________
/ q* [: X# R$ }- ]
% N& ?9 y2 |) J! p9 G8 `6 ^8 h, s) yMethod 02
+ t. K9 _" d- P4 b+ F5 W9 K. y; E=========
! ^& v* f, z3 S r, Q5 X7 Q. I8 @6 w: M: o2 I+ X# V
Still a method very much used (perhaps the most frequent one). It is used1 V5 {* j" M! s' z5 q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) \( Z9 V$ L* z5 E$ O
or execute SoftICE commands...6 ~0 z( R' y$ B; l
It is also used to crash SoftICE and to force it to execute any commands
/ I4 A( [ ?, G1 f( h D8 g(HBOOT...) :-((
2 m7 l" G9 y1 b7 o' z7 k4 B) K% L8 h2 A" \
Here is a quick description:
" P3 V5 U! B" Q0 U m-AX = 0910h (Display string in SIce windows)
" U: a/ a% B0 z) S. B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ M3 k9 Y" v' T; r-AX = 0912h (Get breakpoint infos)- D7 H. r2 n) j* [, c
-AX = 0913h (Set Sice breakpoints)
! D& P2 Q2 L g/ o1 v5 s+ `# i8 {-AX = 0914h (Remove SIce breakoints)
" X W y5 U/ a5 t: q0 i7 z; k& L' t, h0 T6 W5 U$ D; s Y
Each time you'll meet this trick, you'll see:
0 j7 h7 [7 R, F( A% B5 \-SI = 4647h
. n2 C( i# e5 V+ i7 @# \8 x- K-DI = 4A4Dh
, Z& }) _- @+ }, k, a3 P P6 [0 F3 zWhich are the 'magic values' used by SoftIce.
/ ~8 k% M* |( ?% wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 k5 i2 t" W& L/ \" T0 @0 n- s2 O7 h
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 \& B% C# _% ]' T# ~
Envelope utility use to protect DOS applications:
6 @% v* T4 ~$ K- u/ y+ a( [ ?& U3 A8 T* m- U9 f" y
& ~% o5 e) m! R1 w4C19:0095 MOV AX,0911 ; execute command.( D' `$ M1 J9 t4 e* e! H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: w S' U4 w+ K4 ]( }4C19:009A MOV SI,4647 ; 1st magic value.( T4 b" [0 T3 k& _) t, {: `1 N( [$ E
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ _) b1 A( ?# \: ?7 E4 O2 z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# g- ^' _: _5 E x% w$ e! Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( K8 H, Z$ }( Q% I& ]! \4C19:00A4 INC CX
" b6 W( }0 H2 R! N) [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 ?% T5 Z0 V8 W7 H0 j) _4C19:00A8 JB 0095 ; 6 different commands.* k8 u" o( I1 z; F" [5 Q+ m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) S N& l/ K7 Q" t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ P% j1 U0 X" h( L
3 F- o2 l& s, v+ bThe program will execute 6 different SIce commands located at ds:dx, which
# y5 `7 x5 f5 y( k" \$ y8 v( p9 kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 n" q% O/ S) q
0 L- Q) M( r2 y0 O6 M; v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 @! u$ D2 a7 y. } ?. [ D" i___________________________________________________________________________* `5 ^7 \/ B- L* x" m# ?
* @" o) ?8 h b
& \0 d$ E0 q$ K \
Method 03; K: H, j1 s9 k
=========& E/ T2 g4 U& I& d8 y
) A. B; X; \+ t5 ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 C* }* V/ J5 h(API Get entry point)
- q- S8 E8 K/ _7 E! i ^! @: n
; D$ |' F. U8 d; ?( G8 G1 x1 x2 Y: h4 D4 a! U
xor di,di
' a( L% h3 ?. g" k% ~ mov es,di
- v! r; L' w2 T' z r% ^ mov ax, 1684h
: \2 R. y, R2 g mov bx, 0202h ; VxD ID of winice: p* {- o0 q! w/ l5 }& L
int 2Fh
7 j; z& m% K0 c6 d+ `; p' ?) |% [- { mov ax, es ; ES:DI -> VxD API entry point
; H8 ^( R% J0 s* w3 s, n r add ax, di2 U- U, Q, ?, u/ M6 u
test ax,ax
! Z0 M& l: ?0 E. ^$ \7 A jnz SoftICE_Detected/ J+ C# ~0 ^* s# Q- \5 ?9 A/ g
1 j" `, g" A* `2 }/ m% G) L
___________________________________________________________________________( p- H) s7 Y% B6 ~! [
7 O" N5 ^! Z! } A4 w
Method 04
( G9 b! x$ u) {; ?=========' }# q' X9 s1 t: W
2 X& H) i! [$ G, r. x2 ]
Method identical to the preceding one except that it seeks the ID of SoftICE$ y" P' D% S- a; }
GFX VxD.! @& \* k) R8 D6 ]5 @& i' R ~7 k
$ g3 I: g# z, P2 U
xor di,di
+ ~; l- R# V) u+ `/ G mov es,di
5 {7 ?8 g- M3 M$ W0 Y. f7 J$ i mov ax, 1684h
6 d1 n+ @' c! T+ w% j2 ? mov bx, 7a5Fh ; VxD ID of SIWVID
8 l8 S6 h9 d K+ F& ~/ K8 C int 2fh
" p; W5 e7 o; j P7 B) b mov ax, es ; ES:DI -> VxD API entry point
6 v, S- }+ O9 D add ax, di0 J7 b" l1 ^6 ^1 g) G/ D+ m: h
test ax,ax. f) W) z* R1 d. `8 W4 m
jnz SoftICE_Detected4 M' g* \& X' b% ~9 x
* L, ~6 o0 M) N/ k
__________________________________________________________________________/ Z0 X% W, A3 v/ P, O
3 c9 C( z9 a h1 `$ I0 `
/ u5 g6 u. H8 I% [5 c
Method 05 V+ \8 T% Z% p
=========
e! h! Z1 N0 i0 m6 y+ l6 I+ ^) E% m* H# Y% _0 l
Method seeking the 'magic number' 0F386h returned (in ax) by all system! F* G+ `# m& ^! M0 C8 @# [
debugger. It calls the int 41h, function 4Fh.
! n1 q) `: ]. D/ F! Q0 f$ EThere are several alternatives. $ O. X& Q: O; i! ~4 X1 ?; Y
$ L# g" _& A* |2 z& u- A" L
The following one is the simplest:: x, {' T% e- r
4 Z! @. _4 J) Z2 U* ^6 Z/ u mov ax,4fh/ D/ v1 v; V4 f# q# X( l+ `
int 41h" s' \8 p; F; y0 e, {- |; |- \' @$ O
cmp ax, 0F386
6 ~( n7 r6 a- d jz SoftICE_detected
: G2 k2 x4 _9 F# }/ T$ F* J2 Q' p; P7 `* l0 M: ]5 @) F- X
6 X H( _) t1 H6 P: j5 jNext method as well as the following one are 2 examples from Stone's ) ?6 l1 |" Z& j2 z* w, j
"stn-wid.zip" (www.cracking.net):
! ^+ K8 r% l) v0 w2 I$ z M) ]7 x' w9 }9 m
mov bx, cs U! K0 w% _( O! v) b
lea dx, int41handler28 @! C+ D3 X, O1 {1 B! h/ w
xchg dx, es:[41h*4]" g. i; n! ]. y a3 P: J8 g
xchg bx, es:[41h*4+2]
r/ V. U0 O, |, z mov ax,4fh: Z" G) A5 b# Z# J0 S* e& }
int 41h
" R& S- g$ I6 J' p% g5 | X xchg dx, es:[41h*4]# p8 B6 R1 v% \2 v' E
xchg bx, es:[41h*4+2]0 j; } `7 k9 t5 D. e" \0 M" v5 x4 o
cmp ax, 0f386h3 O2 s% z( H& A0 e+ K$ T
jz SoftICE_detected
* b% n: f; p: u/ i& o4 f1 ?5 n0 O9 D' T9 F& g/ A
int41handler2 PROC
& J% v# y$ e3 T# d$ ?' r iret
" W% L7 M! e/ i0 R$ Sint41handler2 ENDP
8 T$ f" j( D) P/ z& u# j O6 f8 f
( H4 x: T2 c4 k# u0 j
1 m }7 F: [6 ]( J" x0 o_________________________________________________________________________ Z% p' C: m& ]" b
% D9 T+ w, Y# Q" B$ [4 q( q
8 r0 a2 T1 `$ ~& o5 G$ rMethod 06
7 J( \( u9 l$ s( x3 i=========) |0 {; i0 V1 h8 u6 w( s
! [9 s0 M9 o2 N- i" O) x
3 {9 M7 d' E7 {" s( {3 h1 U8 Q
2nd method similar to the preceding one but more difficult to detect:7 ]+ ^/ Q7 X9 I! r. W6 [
" q' P7 r) u; V
. H7 _$ b; |5 {4 {' \* Gint41handler PROC
, Y0 e5 t& m/ F mov cl,al& u( j8 V- ~* Y ?) Z
iret3 k0 T6 l/ \9 A9 n" f8 [
int41handler ENDP
( p! x$ G, d. l" r: M2 K$ M
+ l6 ~6 D5 b6 R1 F
! Q. S8 t, y8 E0 r* ~, L4 M xor ax,ax
4 S8 \- k7 r2 G, o8 ]8 R& o mov es,ax6 z0 F% `6 u( ~- A, K1 D
mov bx, cs
7 k2 c; w' z$ h lea dx, int41handler
9 f4 K% S1 }' m6 a9 A; | xchg dx, es:[41h*4]
8 ~4 B% k6 ^, H& O5 S xchg bx, es:[41h*4+2]
# |7 F V; N& R. p+ \$ b3 e in al, 40h
& Q- }8 h t9 v5 j3 p xor cx,cx" Y8 M# q2 `: r( r/ }9 H5 o
int 41h& a! ^6 I0 n. `" \
xchg dx, es:[41h*4]% H$ u- O- Y+ o" M3 ^5 m3 J
xchg bx, es:[41h*4+2]
1 b4 P2 n! r: O) r' g1 E cmp cl,al
2 g! | T+ J8 q6 s jnz SoftICE_detected! m: {+ [" |5 t) y) V; w
$ L- }1 U! u+ M& f8 w5 l5 w
_________________________________________________________________________
8 P& I; X$ Q4 F' s+ B" [) o9 A
R$ g7 E1 L' S t" _/ _6 ?Method 07
' S+ I8 Q% g; _ P @ `7 S k9 l=========2 A4 p6 U u t! }# |" B% n2 O! O
% _5 U+ A& z& m! b
Method of detection of the WinICE handler in the int68h (V86), e. O8 ^8 Y9 F+ D4 p
+ W, t" i) L# y1 o; u# E; p mov ah,43h7 j$ X# P+ B, |$ q! h, H1 g) n
int 68h
. [- Z: @% @- Q8 q cmp ax,0F386h
; I" X$ ]$ n9 H' d jz SoftICE_Detected
4 s4 S# r* v- a( y8 h O1 K; V( v2 L& e9 k2 L# Q
* S. W) l% `0 n! T" s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ R! w5 e0 H! h5 Y" J+ u" R app like this:/ Q) r4 r: ?) Z7 c- W- {7 ]- c
8 J6 V" J( E" e6 z! D
BPX exec_int if ax==68
. Y( g7 s; f7 d7 [ (function called is located at byte ptr [ebp+1Dh] and client eip is! @! J h9 b& L1 {4 n6 G( D
located at [ebp+48h] for 32Bit apps)8 v* K% S7 P. U- ^
__________________________________________________________________________
# Y5 c. F' C" o7 f# X1 M
! }6 T# c( c; B2 ?6 h/ t- J7 E& b- D4 ~7 K7 h: I8 X+ I4 K$ ?
Method 08
6 ]# J) p/ ?, s% S: Y! h2 Y=========6 d; U' T+ m1 j
1 }+ a! u6 {- `% O4 L
It is not a method of detection of SoftICE but a possibility to crash the/ p1 `1 |8 u4 @8 p) u2 S
system by intercepting int 01h and int 03h and redirecting them to another2 B. Q# J% a+ i W( l2 f
routine.
8 ^; U) m; W# i& O7 v* k5 jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& \1 B+ [2 E0 U' a8 z" S& T' mto the new routine to execute (hangs computer...); T: l' n( w- d9 i
& j8 d; b; ]& R& C; `8 v
mov ah, 25h; F% |" u* r2 ~# D. ^" _( t
mov al, Int_Number (01h or 03h)
: `2 r& Z9 X2 h- ^8 R mov dx, offset New_Int_Routine
* m! R3 W6 d9 y; t2 D: B int 21h; W8 T, H# Y" p
$ }& A% h' z' y3 e8 m+ Z5 ^__________________________________________________________________________
4 S; A) B0 ]% k3 o0 C& t
5 v4 e/ d1 e9 u, v/ ]/ U" N- u! hMethod 093 y; j/ l( [( |5 { l, F! Y
=========% g( y* r! @0 R7 ^$ |4 r2 f; ]
/ g# |) \ F1 _; H- ^6 w( O% MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ H, x) Q8 F# uperformed in ring0 (VxD or a ring3 app using the VxdCall).
i' E0 B' K% ~; I( Z' BThe Get_DDB service is used to determine whether or not a VxD is installed
# m# I4 w& m6 ? A3 v, Ffor the specified device and returns a Device Description Block (in ecx) for
/ S6 I/ U+ V5 D7 A6 Vthat device if it is installed.( D+ Y# h; V. ], W+ L
. r# X0 `' f# r" H/ P4 _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ ~$ Z/ V: X* {5 y. G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ ?6 |2 P- K/ w6 v3 r$ w VMMCall Get_DDB
7 W( O& _* W6 Q+ a& m/ F/ y" `# O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! E" I7 Y' A3 `+ N0 U2 l. ]
7 c) f6 c& s; O7 O: h: E4 Y; NNote as well that you can easily detect this method with SoftICE:- F% L' I8 h; \! R4 K
bpx Get_DDB if ax==0202 || ax==7a5fh
% f/ ^" T3 Q* h$ j$ m% D8 J3 s
__________________________________________________________________________
q) p+ p- |' Z/ T# n
' ` ` w7 v- ]3 O! Q: N/ z& W' @Method 10# `' B3 G5 E8 X3 e
=========0 U4 W; t0 t! H9 J
4 b0 P2 n8 u: J% E' V/ ]=>Disable or clear breakpoints before using this feature. DO NOT trace with2 e6 A: }) U! O1 i' H
SoftICE while the option is enable!!
. l5 L1 z& R, t% b+ U5 G$ ?
4 W- C# [6 C2 LThis trick is very efficient:" }( i* M' P, ^5 s z5 a
by checking the Debug Registers, you can detect if SoftICE is loaded) X) t* B' Y/ D4 f8 l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* i2 B# R! D+ jthere are some memory breakpoints set (dr0 to dr3) simply by reading their* A5 {( L( L, c& p$ h
value (in ring0 only). Values can be manipulated and or changed as well
3 g& w, x0 D! c- \(clearing BPMs for instance)& ^) J! e; g" U& ]9 I d6 P: K, ~( M
) D7 N9 r! r. |5 O$ _
__________________________________________________________________________ W! f$ i. n, o- y; N" a5 O7 o3 y
% h8 B+ ` E( K& K* G% s
Method 11
- [$ S9 N: {& j: M* e9 m) B# B8 }=========8 R8 S9 O2 i$ ?% I# A
( Z* e# m' V% h$ W& ^- |# S: QThis method is most known as 'MeltICE' because it has been freely distributed9 z9 c3 W5 h2 x) O4 Q- x* |
via www.winfiles.com. However it was first used by NuMega people to allow7 \2 x) h4 [: S' R9 x9 W+ d, r
Symbol Loader to check if SoftICE was active or not (the code is located& G- p4 O: p) D8 m
inside nmtrans.dll).% A F& o" g/ F0 T. F. p$ U
, k; C2 v9 `1 C/ ]The way it works is very simple:
! o/ D* i) a/ \* U7 C+ I, C6 ] D$ MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( c2 R" C: S, N& QWinNT) with the CreateFileA API.
0 E2 m) r2 T) `8 J g; u' y6 H5 Q9 \: H( E/ M+ W5 ]
Here is a sample (checking for 'SICE'):8 ~" p% T$ K/ c& f1 K: _2 }
5 r5 T6 {8 o3 _3 |BOOL IsSoftIce95Loaded()
$ s: ?9 K/ i. K5 h; W{
9 O3 ~1 J& z2 `$ {! X8 U HANDLE hFile; - N% W* B8 N- ^
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) [- q' o) n0 w0 Q3 R, _5 Z FILE_SHARE_READ | FILE_SHARE_WRITE,& R! R, S! K2 b8 t0 l5 r" y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- K4 m) V5 _$ D: q
if( hFile != INVALID_HANDLE_VALUE )$ T: x5 D; z5 M. E$ N( A2 c$ H1 S
{) V) n0 i1 M( l5 w5 E4 x
CloseHandle(hFile);
# }% p5 S) L6 l4 R return TRUE;. e. D9 y' U7 I" V% N
}
, C7 |, I# _: d return FALSE;
" v! o4 [7 }$ g7 I3 @. P9 B}
- b: h) B! M! x8 k S- V m; T
( P1 n' Z* [% d8 a. |: LAlthough this trick calls the CreateFileA function, don't even expect to be
* ^: P. @* p9 q4 X7 g) z! g3 I$ `able to intercept it by installing a IFS hook: it will not work, no way!
7 y( W; N& \& r6 e3 k8 }* b& [* NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 S1 q. E9 p* Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 w# m3 K) W+ }$ l9 q cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 h) X# s4 {& f1 D/ C) |field.
) h" D! R3 q2 y4 O/ \In fact, its purpose is not to load/unload VxDs but only to send a 5 b! M+ W9 e M. b% u8 @0 s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: \5 }6 N2 _8 L8 kto the VxD Control_Dispatch proc (how the hell a shareware soft could try. Q& A2 [* K7 C+ d- @3 c5 v3 x
to load/unload a non-dynamically loadable driver such as SoftICE ;-). j4 c: u' \$ ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 E: |+ E( Q& }
its handle to be opened and then, will be detected.
6 _0 g8 N) g1 zYou can check that simply by hooking Winice.exe control proc entry point$ P, h, g6 u( a; G
while running MeltICE.7 k6 T" {2 t5 h. E2 C' [& i
: f6 |5 W/ v# o' \3 l- X8 O
& E y0 i6 E0 g8 t6 I* T \( M7 w, E; x 00401067: push 00402025 ; \\.\SICE" |6 T5 d# M/ y. |' C
0040106C: call CreateFileA1 l' s" b0 e4 |% C# U/ N
00401071: cmp eax,-001
v1 ^, S M5 B5 S/ _/ U$ x; e2 t+ M 00401074: je 00401091! {% `7 N Q' L* |. M$ F( r4 d
# e! J; j7 x) {' K, x
3 \: P) R$ z# CThere could be hundreds of BPX you could use to detect this trick.6 Q" B! J* i9 ?
-The most classical one is:- A5 M2 ]6 K" \* @4 g; Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# Q" \% M/ K2 ]9 h. @# W+ E" K$ R+ X; e *(esp->4+4)=='NTIC'; E3 x. X& W' Q |
" {% H: K0 q& ]6 I9 M
-The most exotic ones (could be very slooooow :-(: B* V! R; T! P( V6 Q# C' E
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 \" I) |* s# I5 q. B. D5 v; l
;will break 3 times :-(
! |. e3 X, a4 [! `" x$ t9 Q. ?/ e: u9 l$ }$ D4 _
-or (a bit) faster:
Y+ x0 R! ]- _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 |8 j& K: l$ ?6 ?6 M+ Y) a
' ]' R( A$ X+ n O) B$ j2 E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ j* ]/ Y9 x4 B ;will break 3 times :-(
7 s* a7 {6 [1 m1 R4 H0 p# G: c; h d: l8 ~) G& F
-Much faster:
0 B: A: f2 c7 _$ x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& j) D( A2 \- a- b" J, g6 ]% ~, b8 g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! k- \' v- Z) r1 _4 G5 L% C
function to do the same job:- ` I) k' B) d" y6 j7 y6 f" ]& }
7 q( J: h* v% T s0 l- d9 `. F push 00 ; OF_READ
+ ~) `" g8 h! P5 [ mov eax,[00656634] ; '\\.\SICE',0
7 O. Q9 b) q# S- x" X" U) S push eax
) T# ^; m' c# p. f0 ]" S call KERNEL32!_lopen( P" J. G! s& i: |& ]+ D3 I
inc eax
. r) r5 F3 u; v3 V2 ~. u) ~* V! ^$ l jnz 00650589 ; detected
+ B1 k% n) J3 {6 Q: V push 00 ; OF_READ! `3 V+ x% L T0 m) S
mov eax,[00656638] ; '\\.\SICE'
/ [ X% C8 S. \0 u push eax, E; a) w9 C, ?' h# O# {
call KERNEL32!_lopen; w1 ]7 j7 v5 S1 }; h
inc eax: t& S! q( k. |) ^
jz 006505ae ; not detected3 _1 x% T$ [+ ^; u, Z$ q' ?
8 W% X5 i o5 g* n" t6 i/ U5 S1 s% j4 ?, t6 b# y& b! a2 J' C
__________________________________________________________________________7 G; L |/ g4 r G
+ f/ x+ u% C" B
Method 12
. V5 t- t8 |" C5 z=========
: c2 G9 x" w) e d% S; c, X8 u# Y7 c7 ^* i6 ?8 r
This trick is similar to int41h/4fh Debugger installation check (code 05
. w# ?4 Y7 @! ~' F9 V0 T& 06) but very limited because it's only available for Win95/98 (not NT)
# `7 K. s) f4 W6 d9 [: t4 n6 V7 uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# p6 a" }4 J! w# o! z5 n! y
1 A. @, L: H8 U3 H
push 0000004fh ; function 4fh
! ]0 s& V- {' [! `2 V push 002a002ah ; high word specifies which VxD (VWIN32)
4 {' r. K, N& y6 L ; low word specifies which service6 F$ d9 j5 B {/ X2 k
(VWIN32_Int41Dispatch)# u0 s* d! O3 d- B% ~
call Kernel32!ORD_001 ; VxdCall! b: ]0 F6 N5 {7 L
cmp ax, 0f386h ; magic number returned by system debuggers" @+ Z: F0 E' I6 K2 d# D. r" o8 L
jz SoftICE_detected
9 t# x( R9 U2 s9 H5 N0 u! i+ N1 t7 @8 J! z* L/ ^ |9 i9 k9 ?0 ~
Here again, several ways to detect it:8 U& {, n$ e/ a' ^& T1 O5 x
/ V; ]6 |5 z$ {& H$ M% E BPINT 41 if ax==4f; B2 l4 r8 N, ^- \+ }! P
. E) q8 z( E$ u. H9 _' Z5 T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; D/ _; U8 j7 I8 [4 X5 V- J9 v
( [4 j5 C" @6 H7 ~* r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" G- l3 s" k @4 h* j2 p
6 F/ u, S8 t# k8 {- {. ?5 c- X" U& `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' h) M* G' G# p0 t- B1 C* _/ `5 g5 V( t x
__________________________________________________________________________
% z& a8 H2 k. L0 K0 j# y: B" y8 E) v
Method 133 k% ?+ y. u5 W
=========
% O6 @. y3 ^3 P. F+ {
; W1 _9 Q+ H1 `' S1 MNot a real method of detection, but a good way to know if SoftICE is, G! e b: G* f, d# U* b: b
installed on a computer and to locate its installation directory.6 W u( f, s! o. E' i6 F1 k0 r
It is used by few softs which access the following registry keys (usually #2) :4 [/ V3 F0 _4 B+ J; K& d
* @" |' }6 U% L$ d; K; b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: P" K/ I% q1 S7 z" Q2 Q\Uninstall\SoftICE. n' e6 e: w6 Z5 h: w/ r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 M& |( F5 }8 p+ j2 Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 S0 }0 _4 o5 O5 ? H\App Paths\Loader32.Exe4 J2 h: v1 d6 E
2 O; W& l' k- v
& N" S5 f" S# P% p9 M* @) I; D/ g5 wNote that some nasty apps could then erase all files from SoftICE directory
Y, h) D& |0 p4 r' b* |(I faced that once :-(
' U' h& X6 A: b+ G3 ?
- e$ H x! y/ { r9 B4 E0 D7 VUseful breakpoint to detect it:
' S8 S& J% K$ |- I6 R4 w$ F
0 N0 R# Y5 O/ t s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# I, ?+ p* {' f9 J9 x! \6 x
( ~2 \9 S, Y6 `__________________________________________________________________________
/ s0 l( l# C% J* z4 u; C
O$ T! u1 g5 p- O6 a
^: m$ ]- k- {, t+ E& ?Method 14
% A+ T. \$ O, p2 ]5 i( U7 t=========8 ~: o' w- B, K, @& }& @* j) S
3 e8 Z& m( X. H6 W# l5 k; @' M% X- W. BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# _. P3 D6 a Z' g
is to determines whether a debugger is running on your system (ring0 only).# Y8 B$ @8 G9 x8 _1 G
) l/ t: Q7 `" m9 y* I8 W y
VMMCall Test_Debug_Installed
o+ H1 x! |, r, z" G, e je not_installed
: H9 O; m1 p, J9 P' l! F& _- {6 W& \( ?* G2 }# L- f1 ~
This service just checks a flag.6 v. U( W {- x: y( ~7 R2 n
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡