<TABLE width=500>
# N/ Q! I% |0 ~( l: s& N<TBODY>9 c$ j& c5 E4 [! X+ c
<TR>! c/ Y' C5 g3 v, B# S+ C
<TD><PRE>Method 01
' X: i6 O4 G/ F) ]3 l; f+ y=========
8 m: |* s1 D5 X
# R% o0 ^3 L: A' S' v* NThis method of detection of SoftICE (as well as the following one) is& W' d: R& W7 ?3 c
used by the majority of packers/encryptors found on Internet.
( p* d }- h+ V0 F! W* g( v$ YIt seeks the signature of BoundsChecker in SoftICE, Q5 k" h# Z- z% H
6 c% V, t; F4 l2 l# z, E3 O mov ebp, 04243484Bh ; 'BCHK'
. r5 v2 t, r4 I% m. Y mov ax, 04h: u3 ]: P! r% d2 v5 N
int 3 2 a5 m$ W, u2 [; B2 L
cmp al,46 b+ N. H( I A/ v7 T% K5 _9 ^
jnz SoftICE_Detected; a0 Z3 z" D' e1 Y1 i0 A( d/ E
5 m6 q3 S& H4 [: h" X- U
___________________________________________________________________________$ H6 Z2 ^/ j' F; m4 d8 [& S# g
/ w2 }* x, l* d; f
Method 02
; ^9 D# v7 B1 y9 I3 U/ z/ p=========
4 H) D3 I1 H( V& D( a
! Q6 I* E; p7 B4 T9 a1 @+ [% mStill a method very much used (perhaps the most frequent one). It is used. ~4 \5 D2 ^4 z5 C5 S3 m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- @9 @ Y; W4 H5 J4 B6 j
or execute SoftICE commands...: t: [3 k" h0 Q; T
It is also used to crash SoftICE and to force it to execute any commands
) o5 F5 u5 v6 G$ r: q1 k(HBOOT...) :-(( 0 ?) V1 ^ g9 I* p% G1 k. w
6 f7 a* g T: |& M( f
Here is a quick description:
/ [2 T h% I. u% K( u-AX = 0910h (Display string in SIce windows)1 x2 j( d, u7 A# S) s7 ?' F( ~' p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- ^" w% R) }" o# W2 N! a
-AX = 0912h (Get breakpoint infos)
1 R+ v, t/ w& `7 B# c! r-AX = 0913h (Set Sice breakpoints)( T$ J, g7 a3 c4 j4 k5 Q" D+ F
-AX = 0914h (Remove SIce breakoints)9 u: o, |0 r% K4 t- _1 t/ A3 o
6 v! J3 f2 a- w' }+ E6 u& j
Each time you'll meet this trick, you'll see:" [: \2 N' l/ Q' T$ z' v
-SI = 4647h
" z5 x. j# L- W4 Q' T# P* a6 ]- `-DI = 4A4Dh" \( }% L! P" x6 t
Which are the 'magic values' used by SoftIce.7 @" R; j& C' x1 I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" `( a- B9 F2 v% z4 ^, c
1 l* `: c ]' k* F/ u) Y% F! r. OHere is one example from the file "Haspinst.exe" which is the dongle HASP. Y, t; H, V/ n
Envelope utility use to protect DOS applications:& K& E9 D( s6 b; b( S3 _/ F
, e2 y( g! [/ p. A3 ?8 l7 b( U5 x4 L3 @8 Z0 x
4C19:0095 MOV AX,0911 ; execute command.
# h$ D& [' ?' a9 g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 y0 q1 r0 D# c2 X+ }, s$ P0 j1 f
4C19:009A MOV SI,4647 ; 1st magic value./ j2 i2 |3 N* j
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 ^7 P5 k/ M7 x2 @4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 c. v( r/ a$ M, M, b4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. M+ w8 H. K9 e- r! U Z
4C19:00A4 INC CX
* i1 e2 [* `7 S4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- |5 G+ V$ U* x1 W4C19:00A8 JB 0095 ; 6 different commands.1 R* q6 {* X3 `! B/ C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 I p: ~ [' m2 U7 u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& J- Q" }% t9 s! E5 v) y* G
4 g4 U; `+ U, Z0 |- g: g/ ^
The program will execute 6 different SIce commands located at ds:dx, which8 R% R9 P0 y2 W
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 g8 R/ F; f1 b/ A1 X6 G
F8 x2 R5 b+ r! r- t7 Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" l2 f7 R& ?) n6 w7 f___________________________________________________________________________6 N4 N* ~0 ]+ A$ N% M& w! g+ S% n2 c
" ~) F' a S7 `/ r
4 n0 l2 n; m1 W( ^' E/ CMethod 03
$ Q! @6 [4 e. v& M; t=========- s* x3 g6 _; r7 R7 g; d0 _" Q0 `
f* z5 w* d( ?' `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' N, c% \ Z! j! t g* T(API Get entry point)/ X* q# ?, [# a& x8 A
# Z: m& ^9 P8 z' k& ]8 K% T8 m% h: d) w. G! [7 c
xor di,di$ g1 Y& N5 x2 n; r9 X
mov es,di& @% u, @$ W! ~; w) A. J) d3 a
mov ax, 1684h
+ z" R5 G3 U% d8 O3 I' i mov bx, 0202h ; VxD ID of winice
5 H6 U4 e( f( ?) w I2 o5 } int 2Fh/ D6 a- p. P }
mov ax, es ; ES:DI -> VxD API entry point% n8 q" s1 J& _6 h
add ax, di
# `, s0 z) w% N test ax,ax
4 q- K/ j; ~3 P3 h* b" E jnz SoftICE_Detected
, i" j5 _7 M7 |1 n& g$ p4 {/ t5 i7 p' _0 ^& I I9 b; Q
___________________________________________________________________________
8 u( \8 ?; Q" i- L/ h5 d# H+ L3 Y/ E4 U4 e* v
Method 04/ X3 s7 q9 C. c+ E
=========! a! w4 o# s0 l# h/ @
% T; X# l! t+ w. b6 \Method identical to the preceding one except that it seeks the ID of SoftICE4 U; I }' r5 r0 b2 }) q
GFX VxD.
# c: c8 R9 B3 \9 P/ l: v
# R9 e7 {1 t$ z0 G0 z- @8 ~3 m xor di,di( P! r1 W) l# [& N6 f* L/ ^ O* l
mov es,di' F- c' ?$ t2 V1 g7 @
mov ax, 1684h 1 {; P# N1 E$ M& M5 L/ M! n, p
mov bx, 7a5Fh ; VxD ID of SIWVID
& Z# e$ l! j( K* B9 u1 Y" u int 2fh/ \9 `0 q) I+ S/ P, D
mov ax, es ; ES:DI -> VxD API entry point
( Y0 }9 U1 d( n& G' e/ m add ax, di
8 [3 F% P" n' c test ax,ax/ b* Y' {, l, P0 S6 }& q. u5 p/ u
jnz SoftICE_Detected
) w# ?* `1 f3 l
( s; Z) i5 e+ Z% B' Z& Y9 y5 V__________________________________________________________________________
8 i" R; W G4 T3 l/ i( N0 s, r" ~4 S0 Y) q7 P% c5 `0 k5 p
: c1 S6 v# n# P* C; ]Method 05
3 P+ {' u! }$ O=========$ B7 t( K1 e) I% |
: D$ o. m1 D. \
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 M, O3 U! ?' |7 v7 t. qdebugger. It calls the int 41h, function 4Fh.+ w* y& W0 u- C8 A ?
There are several alternatives.
2 f2 T. M( ~" s$ u1 \) h
0 {2 w. `/ v( M( lThe following one is the simplest:
2 \% }6 m( }+ S4 \0 B: L* i$ @7 A3 _( }+ r; X' }
mov ax,4fh
1 K5 T! v) J. ]9 _$ j int 41h
- a! P, v* M( X1 j( G- J cmp ax, 0F3863 v$ i+ f' v4 f7 U1 h
jz SoftICE_detected) v; Y* X# V2 `$ M2 _ n/ Z9 Q3 R
1 }! l1 c N9 ]& \- R/ [; N0 F
# S, E7 K( @9 x6 C6 x% l+ G% lNext method as well as the following one are 2 examples from Stone's
7 e0 U1 ]$ @1 I' R( W8 \2 G$ W"stn-wid.zip" (www.cracking.net):
/ n0 U" m K/ u5 o
1 }, M% j& a, K( g2 n9 y" i3 H mov bx, cs
' E, P6 l$ M/ e' \" Y lea dx, int41handler2
0 ?* o" z; a: X xchg dx, es:[41h*4]: @% d0 J4 d }$ L4 S. [
xchg bx, es:[41h*4+2]& P/ A6 Y7 X; R6 d3 H% s
mov ax,4fh
# x8 C5 s. N& d! T int 41h6 e, e j; x9 u* o T! w' p5 V# L% j
xchg dx, es:[41h*4]0 o& x2 \; F& {1 }! U
xchg bx, es:[41h*4+2]# L1 o% U; l& Z5 F- A
cmp ax, 0f386h; l4 ^5 x. U+ E: W% ~3 h; E
jz SoftICE_detected0 `# n j- K# ?3 d: ~
9 ^6 V+ M, M0 @int41handler2 PROC
7 @! Z% D1 d9 l/ x iret9 K) ?; B$ T* q4 ~+ D0 t
int41handler2 ENDP
1 c! L- m6 A( ~1 I+ a
2 Q9 R: m4 Q _; r& u! E# P
" } I5 R& K6 A8 z_________________________________________________________________________' v8 n: t" s3 W+ m$ w) H
4 o& |2 [% D2 }( J% U- Z
8 r Q/ g! e( l7 e" T, b! x5 CMethod 06
* V. h8 x: j3 @+ u$ g=========
$ s8 m' e, h. B9 m! F; b& t, I6 ?& e
% V; r1 q4 T4 x' A/ z7 S& [, Z6 B E+ [* ^3 S; c; v/ r
2nd method similar to the preceding one but more difficult to detect:
9 k# [% m/ D" H5 O3 V
2 p0 J6 u+ O! E! Z4 H1 G" h* R9 N) T/ x) x
int41handler PROC* P' ]: p1 a8 g, |0 \3 \# S
mov cl,al5 m7 B6 B" u' p- z4 @1 z# E
iret4 _8 z3 K" H3 q: E* X
int41handler ENDP
: P3 a9 v$ P% Y% j" f$ O
, Y2 b; e% C1 ]* i; E8 w1 _# ?# u# c0 S8 X
xor ax,ax) {) W1 B k% r& X/ E
mov es,ax
! S' a. \% @7 G' f mov bx, cs7 j# I h- n" M' R3 l0 ~
lea dx, int41handler
% `: s8 L- Q2 O, u+ u/ `* w xchg dx, es:[41h*4]9 m6 z; P: K2 D3 U8 E
xchg bx, es:[41h*4+2]8 B' x4 g6 F A# A* U
in al, 40h- W5 {: K: `2 J
xor cx,cx6 ~3 W) D @# m) `
int 41h
; A! G5 c/ @6 H+ o" ~& p0 ^ xchg dx, es:[41h*4]2 b( W8 n" c$ I/ A3 U
xchg bx, es:[41h*4+2]# @/ Z3 l [" U! `* P6 Y8 f
cmp cl,al* `4 i3 \( N3 A, p1 P" j
jnz SoftICE_detected
4 f+ G& A3 N$ f* Y5 W! Y1 T
2 s! s$ E) P/ p5 R9 t5 ]_________________________________________________________________________4 L' E8 a! z0 x' `4 K' ?6 C" x$ \% L
% _% [/ }; m) ^2 [4 u
Method 077 R; p2 c/ c4 t5 P
=========: F4 F, `+ Z& s2 h7 J* `
' B+ Q6 u2 g; G" V4 l6 p/ l/ QMethod of detection of the WinICE handler in the int68h (V86)
+ i8 Y9 e) j ?- J9 `
9 K) D" ?+ W9 E, L$ U mov ah,43h
' S4 r6 M: w) [6 W% @ int 68h8 B! R: v+ T I, K0 n# ^
cmp ax,0F386h- [) g* a; b7 A+ e0 y
jz SoftICE_Detected
+ \9 E" `4 v" Z. m4 Y) Y" B' r+ i: e2 p0 ~+ s
7 P+ C3 m4 T) g) [. l7 j p) t7 T( }6 P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 {) _- E5 o/ q* u' ~* R0 o app like this:
; n2 F( }" g( y7 v% q% k2 J& q7 B2 l# G' y2 U
BPX exec_int if ax==687 @' I* ]; y3 J# I. r6 N. y
(function called is located at byte ptr [ebp+1Dh] and client eip is
; C( t' P; ?. J. D6 X$ s4 x9 Z located at [ebp+48h] for 32Bit apps), o$ ^9 F- Q1 H) J
__________________________________________________________________________& a d* Y. j" h9 H3 ]7 P r
# w+ D. B5 x: y0 ?8 D) C- S; U G8 f, \% a
Method 08
2 v9 k! u) C4 p1 G=========3 I M4 ?' v$ G1 U8 B/ w8 x' B
. t; b& C& Z, s$ q% Q/ X
It is not a method of detection of SoftICE but a possibility to crash the
1 n; i# g* a& |2 b2 u+ isystem by intercepting int 01h and int 03h and redirecting them to another# J& t$ l3 N. S7 f" D
routine.
T* C& w% ^5 t6 U1 u& rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' ^2 [7 {) D Q$ [to the new routine to execute (hangs computer...)% U- f6 z/ _' b1 V& ]! H0 |" G
( }) l3 b. V1 U+ R H: E7 `) L
mov ah, 25h4 _; X. Q+ @3 w1 V! ^5 G
mov al, Int_Number (01h or 03h): w4 a( }6 w( E$ f" }
mov dx, offset New_Int_Routine* S/ Z0 a( C+ Z) I9 R
int 21h
' b$ a" E7 I; ?) f3 L! g. l6 C$ \+ P+ Y" p5 d( }
__________________________________________________________________________( f7 |! s- I' R# U! N
8 e7 f& g9 t; R( E1 I; HMethod 09) j/ k* l0 w% u( D
=========- W; X( l$ m+ H$ m7 [5 D
H4 u$ N3 M. d* [7 M4 TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; A$ K+ |/ s; u, Q! O$ aperformed in ring0 (VxD or a ring3 app using the VxdCall).! L) Y. V4 G! N- D9 ^( W
The Get_DDB service is used to determine whether or not a VxD is installed, h+ s l; E$ n4 [% C
for the specified device and returns a Device Description Block (in ecx) for
: l8 r8 U$ _- G: [ Ithat device if it is installed.5 ^5 g, F8 |4 X6 v0 E
; \' s- j) Z! \! h: ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 K& |0 q+ P- g' v. u( d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% _+ v9 V' F, w
VMMCall Get_DDB" A* n; a: s! u- A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
[% j9 Y4 T* `' D+ F3 l2 D% `5 g1 e( W
Note as well that you can easily detect this method with SoftICE:
/ _, f9 F4 M4 m bpx Get_DDB if ax==0202 || ax==7a5fh
9 }- E. z1 g: e8 x1 I {. @/ \ Y; x' p, q% ^
__________________________________________________________________________9 @: r! t6 ]0 `+ p
- D7 I% M' w. Y4 BMethod 10
- }0 w- f- }, g( J" I$ u& O=========. I4 x" k+ a/ X$ k6 W- p
: }$ T% ~ Z7 _
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ ~3 W$ j' K9 b" |% N4 f
SoftICE while the option is enable!!
$ V4 \- V4 Z+ L: y0 z1 Q
. a! S0 S1 ?; y3 r7 V4 b; pThis trick is very efficient:% y9 a2 p3 S5 W& q+ P/ p! e
by checking the Debug Registers, you can detect if SoftICE is loaded" B8 ^0 X+ g! m+ ?6 [+ [( s# a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 A2 L, s) @5 q8 J9 x, @4 Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 R- t1 u5 @$ ^- V6 n! ]value (in ring0 only). Values can be manipulated and or changed as well0 g" q: T0 V- C/ x4 |2 d2 y
(clearing BPMs for instance)
( ~& l* o& V a4 @+ E" ?
6 A9 e0 T- } k1 I1 u/ y__________________________________________________________________________
2 I3 t6 v& `8 n0 _6 J& c; s+ g4 a/ @) u8 ]) X. |: s4 b* Z) D
Method 11' N9 l5 k) k7 z2 d1 a
=========
+ T: O& l }1 x, X4 d
1 M" L1 r2 s. x- K; J: ^This method is most known as 'MeltICE' because it has been freely distributed
9 \+ W4 `3 _# Mvia www.winfiles.com. However it was first used by NuMega people to allow
0 o/ ]9 P: Z/ HSymbol Loader to check if SoftICE was active or not (the code is located
+ _7 p2 X: \! ?; m- v3 |& ?6 q3 Vinside nmtrans.dll).
$ O2 Q2 E1 ?# q6 U, L) O' y9 s) S/ j
The way it works is very simple: u( o/ Z& U% s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- N3 [ Y* @4 K" L: r; ~/ ]
WinNT) with the CreateFileA API.7 g6 G Y# P2 B2 X/ N% |: I9 v& B
: [' j1 j7 A, b* _9 a" L$ p/ p
Here is a sample (checking for 'SICE'):" m+ h3 T7 V; x. e
; U1 k( u5 e( @$ C6 u- e# |
BOOL IsSoftIce95Loaded()
3 Y1 `! A( h4 r y: T# x{; ?$ u2 F3 C/ t
HANDLE hFile; 2 [/ k5 ^/ R" y+ A* P# A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ `& t- `0 K# e/ j' F; V9 _$ D FILE_SHARE_READ | FILE_SHARE_WRITE,. L9 l% ^2 [- ?! A* Y+ B
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% j' ~" p. T6 b if( hFile != INVALID_HANDLE_VALUE )
: l& ]9 M4 w% ~# T$ a# c {7 ?. G0 y7 A/ W0 H6 ]
CloseHandle(hFile);! b9 m; z5 f* ?0 N$ z) d
return TRUE;
) s5 n3 ?: j" E4 Y }1 U( B* N: m; u
return FALSE;4 p7 f# r t9 F; j( ^( e
}
! n9 h: \' i( h5 z, ^" t) ?# s
: L0 K: b) x$ dAlthough this trick calls the CreateFileA function, don't even expect to be$ P3 }4 [& p+ F# c; J
able to intercept it by installing a IFS hook: it will not work, no way!- h5 t B) r9 P* D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 X, U4 r# e1 m0 P- ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): W5 {1 s% a D' G4 Q/ c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, i6 ~$ d) j, O8 \& @: |. C6 Zfield.9 O- z& _' _9 h# y
In fact, its purpose is not to load/unload VxDs but only to send a
; B' r6 ^# I5 \( m, xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 Y) l, _) U1 J* q# Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 {; r& `" B% l' l* G
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ i5 [) v) ~! A9 G: _
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" ^, n( ?+ ~& E! h: Zits handle to be opened and then, will be detected.9 a; N6 H3 w: s" s. @
You can check that simply by hooking Winice.exe control proc entry point2 O& P! _- _( h- x4 m# Q7 S! `
while running MeltICE.2 f" V) U) {" l
U: n% X2 k; l- ]6 ~7 m5 b/ d
$ j: S3 H% o5 Q m" N6 |5 s% |& X 00401067: push 00402025 ; \\.\SICE
?5 S$ F+ ]7 c, K, M9 _ 0040106C: call CreateFileA! M1 H( {' m# `7 z% z% J$ S; e: y$ C0 r
00401071: cmp eax,-001: T% K1 v' [+ |* ?, B" B
00401074: je 00401091
! A; j1 p, H9 K4 Q( n4 z; }
; u4 C, b! f4 t" H7 R8 g; O) d u
2 y1 D/ d. x+ y$ J/ ~There could be hundreds of BPX you could use to detect this trick.
1 I8 T: ]6 U6 |. ~( ^) o: v-The most classical one is:9 ^4 Q& |. A2 b2 B! p2 t% b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% c# F# D/ v- e% G0 T
*(esp->4+4)=='NTIC'
" x2 ?) F. D' Y4 R6 }$ ]; ?" Y
3 F; a# W1 q2 X/ F, o8 }-The most exotic ones (could be very slooooow :-(
- i. e' k% F# s# Q0 y$ n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ V7 _% |# ^! q$ E$ v. ?
;will break 3 times :-(" y3 \8 a: n/ r! N! l3 B/ I
* ?9 \* ^5 N6 z8 e2 `7 ^ p
-or (a bit) faster: - K' I- W% x% N! D6 e
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 u( d. ?8 T) ^; {. d- x# c9 O( U" e2 c0 Y; }4 N3 x! \) B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 `8 x3 q' t2 o& G
;will break 3 times :-(
$ I7 l9 P; x: d3 d6 I# I: z& a3 u9 i6 i4 B# V: R
-Much faster:* O5 D& i0 c/ y' @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" v& R5 }5 x% D6 m- m! U
- p, I& i! R7 m9 e4 m y& ^3 Y2 lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. c' b: ? p, N4 K/ a/ G
function to do the same job:
9 i' v8 Z6 H- h" b; C7 @8 a$ u3 q0 g; g+ _4 b6 x( i' O. j( D
push 00 ; OF_READ9 ?& @' M7 G- A% Z% q9 A
mov eax,[00656634] ; '\\.\SICE',0
( L0 f/ a) o0 f. E push eax
9 q; A" T) t# ^( ?3 p! K F' E call KERNEL32!_lopen
: C4 K: r# N( D inc eax
8 Q( m( \3 ~ l7 W7 J7 I, k jnz 00650589 ; detected
/ U4 a# \' k1 y$ p8 { push 00 ; OF_READ# d, k: d* B C7 T5 d
mov eax,[00656638] ; '\\.\SICE'% ^5 c3 F8 S8 Z- h
push eax
! v/ \9 y4 j5 o. w2 }3 h% M/ W call KERNEL32!_lopen
3 R% l2 S/ ]4 \6 `# d inc eax
# d+ {$ O5 F' a$ s) s4 e8 g0 ]. K jz 006505ae ; not detected
+ _' W, u! P ]
8 [( n" H- Y/ L1 o4 I y7 {. f! W0 q; B' G( f0 I6 r
__________________________________________________________________________
% a+ }5 e5 N1 o+ z0 ^! M( i- F9 R u' h7 M
Method 12
/ I2 K5 T" u- b3 Y" }5 D=========4 I1 g# M" ]6 ~7 e; v
( Z* `+ V- ?# B6 f; E+ k' I6 [+ _This trick is similar to int41h/4fh Debugger installation check (code 05
% f$ a3 h2 ^! y9 }" i& 06) but very limited because it's only available for Win95/98 (not NT): Z# F' J- v! }4 E" J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 U( s# B. F0 |2 N$ O/ C, X; F. L S; c" ^
push 0000004fh ; function 4fh
+ U. {" @0 S f! ]/ h push 002a002ah ; high word specifies which VxD (VWIN32)
3 q* X( x# N0 n% J% ?5 g* } ; low word specifies which service6 y4 L, R6 {' n9 k# n
(VWIN32_Int41Dispatch)
& { Y$ B) y0 G3 ^2 e4 |% Z call Kernel32!ORD_001 ; VxdCall6 S& k6 I. S5 ? |
cmp ax, 0f386h ; magic number returned by system debuggers
! A* U8 d; f/ D0 k; m \% q jz SoftICE_detected
+ S# _' b" d6 ?, m, g# v
( \8 k& y# G( Q/ \. u: C! rHere again, several ways to detect it:
0 D1 ^/ |( Z6 Q# y/ B
~+ y, h9 ^0 Y& O5 g- _ BPINT 41 if ax==4f
+ a; @; h* w7 a! p! \/ ] E' a4 G: d j
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; V) u7 t5 d( R
& c6 u% W; |' P3 `
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 s2 C8 F* N7 s+ F6 x" I2 f5 K! ]: b) S. y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) m! F7 b' F& }& N* {$ d8 d
; v2 C) d' r0 l% p__________________________________________________________________________: _ K2 h6 ~* e& ?0 Q6 \, F" q' ]
. ]1 ]2 ~3 `, s4 E8 h& [* L
Method 13( m( r4 `5 T% P' a
=========
) l" k# C( I4 N9 v1 q4 r
& M) i; j9 E* \. }6 f; j+ yNot a real method of detection, but a good way to know if SoftICE is
) v2 t: x( t; I# pinstalled on a computer and to locate its installation directory. n6 |0 z# {: n, ~3 f
It is used by few softs which access the following registry keys (usually #2) :* d( X$ Z2 M0 w7 k
, }4 B1 u! B E: T9 n* |# e. U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ R! }) B, G( s9 P% u\Uninstall\SoftICE- g- s x" x$ V8 H" P; c# N$ B
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- X+ ~1 O; H4 n) W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ z; a$ j; R' a' H, B# o\App Paths\Loader32.Exe$ H: Y0 Q% D# A' o7 R8 x
% K2 U1 h9 z0 I$ T
8 Y" G: p) K5 T, {: Z+ YNote that some nasty apps could then erase all files from SoftICE directory' j6 L% K9 X9 L7 d: h1 O7 Z( k
(I faced that once :-(
' `$ C, t! e$ f2 p& h
! y5 D7 m" e8 J- a) SUseful breakpoint to detect it:
, R9 M% u5 Q8 Z% _9 I% _2 v" o
8 r, Z6 w1 Q$ Q; J2 O; l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# }, [) h' }' m/ W0 N) j
5 X9 [& i/ L% l7 C__________________________________________________________________________
+ S* d& e1 i! `1 U" |. Q
1 l" ^# `9 C, E7 s3 [+ S$ y! a2 e0 l2 Y* J, |7 X( D8 A# S* V0 e- B
Method 14
! {- W& G* S# u+ [' I=========: l( l4 @- W( @
7 \" T" h: }6 u7 y& f9 h: j. vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' I; o$ s: r- B( V) e* T
is to determines whether a debugger is running on your system (ring0 only).- O& [( T$ e' z& a
. d( j3 K5 b% Q0 n0 Y
VMMCall Test_Debug_Installed) L& f0 l6 z- D- \$ S; r9 w
je not_installed
+ l* Z" N6 ~7 I% K5 |: n; m" T: t _; s+ b4 f) b$ U& f
This service just checks a flag.
* a+ G- S: F/ u+ T6 C2 B+ @. Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡