<TABLE width=500>+ T! d, c& l2 L
<TBODY>( F, P1 e+ B; f+ J. a4 i
<TR>
; h1 R( I% S) z; ~. }* R<TD><PRE>Method 01
! D" s ~9 Z# r+ L& q+ s=========! t3 j" `4 _' |# b' ^" g
6 |9 c+ m+ I3 b$ S$ [1 i
This method of detection of SoftICE (as well as the following one) is. R" F) l+ Z* a: {: }
used by the majority of packers/encryptors found on Internet.
+ K' j J; ~0 H2 u1 gIt seeks the signature of BoundsChecker in SoftICE
& o9 N) C& J" H; R: s3 T$ [0 B
3 A ]: V- ]: G- V mov ebp, 04243484Bh ; 'BCHK'' y8 y1 p" V9 k9 V- L9 q
mov ax, 04h
{$ o/ `, s# ~- u9 B int 3 ( _8 y) ^; z* ^, _& A& s) A- f- j
cmp al,48 N: w9 a r% t8 n: E/ c
jnz SoftICE_Detected; _7 j3 A1 z( w# y
. V) n7 r/ J; I0 ^6 p1 N
___________________________________________________________________________
. N9 h& |8 _1 Y% n6 f/ W7 N+ M
" c9 H' ~* C# `! EMethod 02- g9 ]3 b5 K& J6 }
=========
6 D1 h8 g5 Z s/ R
: J0 J _" t. G! ~Still a method very much used (perhaps the most frequent one). It is used/ s0 N7 {0 f3 ~& v4 p& a0 G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 X0 N0 w* F4 M3 S7 z3 }% Gor execute SoftICE commands...
8 S& y3 N% @+ T% f7 O* D i: e6 MIt is also used to crash SoftICE and to force it to execute any commands% G/ `$ @/ f* b; R
(HBOOT...) :-(( % r. m" A" [) `- ?
& I- H6 l; I. {- k: O
Here is a quick description:( F* Y6 @6 R+ Z7 L4 ^2 M
-AX = 0910h (Display string in SIce windows)& ~# G: B% _9 Z; |$ y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 [* r4 ~( O2 C0 X% O-AX = 0912h (Get breakpoint infos) }+ B$ q% Q& m( u
-AX = 0913h (Set Sice breakpoints)1 K( V' |0 [( `- Q) \- _
-AX = 0914h (Remove SIce breakoints)
4 J( Z9 ]0 Q. ?' W% t
, q: M5 Y! }' U/ fEach time you'll meet this trick, you'll see:" g; H0 a" n( n* V
-SI = 4647h( r+ k7 ^$ e6 n2 C7 X4 W2 }
-DI = 4A4Dh: j% Y4 U% B/ `/ k* g, I
Which are the 'magic values' used by SoftIce.
' c0 e& z# T8 P- IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ i t/ H! _* v
V; ~, [" T2 A' ZHere is one example from the file "Haspinst.exe" which is the dongle HASP+ ~1 P9 y, ? A a
Envelope utility use to protect DOS applications:
! M! Y* a) n2 o
% F( m4 i" n1 z1 t
8 J) X N. M2 ^( Z- }4C19:0095 MOV AX,0911 ; execute command.
+ r# B/ e2 h- y* V( Y5 _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 i* s: ?+ t: \0 V- @! I! A, \
4C19:009A MOV SI,4647 ; 1st magic value.- j0 F: \+ Z; ?$ B4 [
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ X0 `5 s- j6 _' i2 J5 r" m1 {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 l9 B0 o" r' i# r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- w0 ~; }. F- p% t
4C19:00A4 INC CX
3 U3 r& G0 p5 j' l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ I" h, O5 ~0 L/ D& p9 k* ~( H
4C19:00A8 JB 0095 ; 6 different commands.& Z3 v+ | Q0 N/ f
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 X% J+ ^* N/ z; b! n3 @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; `4 @% ?; G- T" d+ G
, t- _" q' }4 {1 A7 f: z# z- ?The program will execute 6 different SIce commands located at ds:dx, which
Q4 |) Y" V, Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 b9 O- ^4 ~, c9 Z5 _5 l
3 K# `5 |9 D: b2 ?1 j$ A8 _- d" L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." A8 m: N5 f) n: J/ p$ A
___________________________________________________________________________3 E4 a! J7 C; ?2 x/ W
/ X. K4 e1 A9 }. b/ L
( n( m, z" V/ c i0 K, _6 \* J( X
Method 039 R j) e; |- v
========= K) g+ w; I8 e3 ]& M8 L
. F* L5 Q, G1 g* [* E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( V+ t, k% j. Q# d/ L5 `
(API Get entry point)
2 o& Z. z- \) z* E/ F% T 4 L1 `8 k: N- e3 w1 J0 w6 c! v! R% t% h
' f8 e4 g/ _$ W9 j( D xor di,di
" A3 O" ^/ c% |' t8 X/ V% S" w mov es,di
# a7 |3 |4 L# C g! q! J, O7 u mov ax, 1684h
$ g" ?8 R: A2 ?+ f7 [3 S- S mov bx, 0202h ; VxD ID of winice
* G* ?" c( q0 Y4 _ int 2Fh) M$ ]9 g o# F: O- a
mov ax, es ; ES:DI -> VxD API entry point2 [' S" s9 L3 ?: _3 O3 j4 E- i
add ax, di3 `8 ~) k8 O. W& G
test ax,ax
7 Z5 x ?3 x8 m- B jnz SoftICE_Detected
( Q7 _9 O' ?0 L( u8 t; p8 O5 @' h& A. \% u; W: \) V
___________________________________________________________________________
, P+ e1 E; X- q, B' S: ]( ]
! s- i' U! R* q7 j5 j( GMethod 04' j r( P' _) q6 u3 g
=========
- L& `1 I' B3 L+ [
- M: ~" L+ w' K7 u3 y4 r: NMethod identical to the preceding one except that it seeks the ID of SoftICE
9 c1 [# b2 _/ c& N- f' Z7 sGFX VxD.! w1 P% w% D$ R% D+ w
9 H' G& G$ l/ [& q xor di,di( L' C5 M& E0 X# Z3 Z. X# y o
mov es,di/ S Y' `$ o7 ]' ?/ g
mov ax, 1684h 5 I$ H0 E' }/ N0 q' b" J5 c7 o
mov bx, 7a5Fh ; VxD ID of SIWVID
3 m4 ^. G# C1 ~# x( b4 e& B int 2fh/ K! Y( n6 O% [! i
mov ax, es ; ES:DI -> VxD API entry point
3 R9 w) a$ u+ y4 b add ax, di
+ [9 e2 I3 U7 q# y0 _ test ax,ax
9 ]' i6 R+ \1 I jnz SoftICE_Detected. h/ r- g! J: I6 D( }" e. Y: X* X9 D
! [/ A1 ?8 k' q5 Z
__________________________________________________________________________
3 h8 P' }: D: z
2 l/ f& p4 p X, n, {) `% W" H. S3 U3 v: R+ J' A, X" C
Method 05- \) \3 s! w. R# ?' E
=========
( A; j. f% j8 Q; w* o% r
/ w: [+ F1 ?% C& r* y: mMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' b1 L3 V. s8 G# g1 cdebugger. It calls the int 41h, function 4Fh.
* {2 c: K1 a; @* Y6 ~There are several alternatives. u9 L$ q Z/ \& O ?
* p: R0 X- @/ g8 Z% w8 `
The following one is the simplest:: g8 D7 f9 w5 X$ T! x& G5 t, n7 @
A9 _/ K4 ?6 c! S mov ax,4fh. _/ O: d* p! l3 r
int 41h' ^9 I+ `, C7 p# c- l
cmp ax, 0F386
' V. z( x5 B! K+ Q; v8 c jz SoftICE_detected1 c& ~0 u6 C" a6 Q# L" q
: R! S Z6 n2 {2 O9 N) z4 H7 G0 K
. g% c' B' |# K% c6 ^Next method as well as the following one are 2 examples from Stone's
3 w3 C4 O8 I. e) L8 B; I6 c"stn-wid.zip" (www.cracking.net):
. N, k2 p4 G: ^1 `/ @2 M0 j! K+ G3 ?2 w- m6 f4 N
mov bx, cs
) X: Z8 |, \2 W* S: G lea dx, int41handler2) |8 M2 u: ]! O4 K2 j8 j
xchg dx, es:[41h*4]
r0 `7 J3 T# F6 k; y+ t$ q xchg bx, es:[41h*4+2]4 D$ C$ w5 L4 w2 ~/ E* _' w
mov ax,4fh$ Y; B! p! w ^3 \6 ?. W8 Z6 T& D
int 41h
+ F+ ~; o) l( v4 l) b xchg dx, es:[41h*4]$ k0 P+ W+ x w4 L, w7 j
xchg bx, es:[41h*4+2]+ d/ L6 H: P+ s
cmp ax, 0f386h& `+ ~( E" O' l. T) D( g
jz SoftICE_detected0 s& i3 J p9 Q# B
1 n) @9 q8 D6 G6 i4 s* w; Nint41handler2 PROC5 ?: G5 X, f2 A1 o/ ~7 X6 o8 H
iret1 G. `2 W; y, a3 O
int41handler2 ENDP
1 Q; {5 l: y- G/ v: b1 C6 @% j4 J- {3 V) j& J
# s9 V' p! r% y_________________________________________________________________________
3 Q$ j5 ~9 w" j3 l! L( k, [
, |8 C( D; K- Z9 H( V3 s( T6 E7 V) Y0 Q$ K
Method 069 Y* z% D2 C7 U# v x
=========
' ]5 {' b5 J0 c' W* O/ n' Z; I' p4 o5 D5 @9 H
& {0 K0 m$ u# |; b- t) o6 Z2nd method similar to the preceding one but more difficult to detect:
3 W* U( s& s) Y/ N7 l2 v3 j- Z4 l3 u, |$ b, K! r
% c% f# W) t w% u
int41handler PROC; E }: M8 o. B' G
mov cl,al
8 D+ l/ C g$ ?# x; f5 K4 Q3 N iret. {6 G% F* _3 R6 S
int41handler ENDP
3 O3 I! K, i* ?4 F; y+ O5 C: H) ^6 M. m* e
3 u" L$ y" |( j1 L5 J5 v( V' D xor ax,ax
5 M' E+ o1 X! v, H9 C$ @! A* q mov es,ax# r q/ e! `1 A! g
mov bx, cs
, O7 v2 T2 P2 f, h lea dx, int41handler
9 a, m$ W3 b* b. {5 L0 I, m; k* c xchg dx, es:[41h*4]
9 G) B: w# _7 b+ G- d ^' f xchg bx, es:[41h*4+2]" k5 b# z9 `. @0 x- v* F# y% p, A
in al, 40h
. O. B) D# Y; C& E9 ]5 @, u xor cx,cx* q! o: @7 A* l! l+ M( Q x
int 41h' w- v! a: @ z% s/ Q. V6 o
xchg dx, es:[41h*4]
+ Z7 }3 F* T' b/ b xchg bx, es:[41h*4+2]2 d' T5 n0 h. I2 z
cmp cl,al
. w' u8 ~9 Y a/ j jnz SoftICE_detected
5 p3 Q8 Q6 M& h' N8 m! C; c* z/ k+ C. T! w- p' k) e3 P$ {
_________________________________________________________________________5 X: l8 m( F( j5 c: ?7 a
# m' s" Q& A% h# S6 w9 S8 a2 [" }Method 07. R& Y9 i! x7 [) B9 p: x4 {9 C- K5 ?
=========
; G$ U- Q: x5 S7 j8 l7 M
. ?( ?# S" |1 \. C% o2 ]: n( x$ `Method of detection of the WinICE handler in the int68h (V86): c2 S; w1 u3 X& M' p0 X7 L
! {/ s' w" E- I: Q5 M2 F/ s
mov ah,43h
& B9 L$ w# |, |3 ~ int 68h
" h) J; H8 E* u0 d, J0 T cmp ax,0F386h
l c( W7 S" v3 g3 ? jz SoftICE_Detected
{ J$ ?( A: W! D, ?3 k. X: v# s* R" m7 ^: K
1 z8 E8 o6 f8 {8 S3 p2 k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 I4 U* S# o0 p6 M- ] app like this:' {6 N4 E$ Z, @1 W5 g
/ [7 o `) b" P' _3 z( q& j9 O
BPX exec_int if ax==684 x/ Q n m# a8 D
(function called is located at byte ptr [ebp+1Dh] and client eip is9 {3 x u: \8 q5 D+ l
located at [ebp+48h] for 32Bit apps)( Y: R0 w* P! ~# x' Q* f7 b; z' C
__________________________________________________________________________
$ U3 v8 X& N1 W5 e h
2 y$ [; Z3 }5 B& A1 E) n; Y2 I8 R0 S) p5 N2 G. |, [7 i. C0 k' c& p
Method 08
& Y7 K% n" ?! K; e=========7 D- H3 x5 H& p+ Y& E. s8 C7 k
$ w" k" b3 b( l
It is not a method of detection of SoftICE but a possibility to crash the/ l- g$ Z6 t6 u: P5 i+ ?5 y, R$ f
system by intercepting int 01h and int 03h and redirecting them to another
3 x8 ?* }. Q8 M! T4 zroutine.
" C+ p2 N% K# ^! I5 O @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) N7 R, }0 N; @8 G, n' Ito the new routine to execute (hangs computer...)
- c' I8 G7 {2 e% I! q' t' L
0 g: Y% O* j& d; z mov ah, 25h3 K- J( T! J/ \6 t, Y$ Q1 G
mov al, Int_Number (01h or 03h)
2 s) _5 U" ^1 v9 E4 J3 N1 T/ M mov dx, offset New_Int_Routine, j4 D2 L& X B' D7 q
int 21h
( T" A$ H+ A7 u1 {6 Y) K
' B% m7 g9 |3 A% x5 u__________________________________________________________________________; i' F o; ^' l& i Q3 p2 K: I# ]
2 v0 D {2 v+ W3 M3 H1 D- ?Method 096 I4 g1 Z/ h R% i
=========
X- @$ t) c( R2 \# N3 J, B! X+ ~9 I* T- [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 I. D$ h( l$ l
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 E9 z( k7 M) B( x$ Y5 iThe Get_DDB service is used to determine whether or not a VxD is installed
x* K( f9 f3 C* bfor the specified device and returns a Device Description Block (in ecx) for
3 W, K" @7 g0 h; rthat device if it is installed.( I# Z$ U) }$ K0 N
( g+ }8 \* N% S# z1 h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, _5 Q! M G# x" m9 r) f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% a3 A+ B1 c: B9 f6 r! r% H VMMCall Get_DDB
8 k1 `# N0 v+ k0 o. E) e mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; U5 ~5 @1 T- s) L8 N4 x8 w: R J4 ]/ q$ l1 k
Note as well that you can easily detect this method with SoftICE:
4 ]9 l6 N" h8 l7 q$ X bpx Get_DDB if ax==0202 || ax==7a5fh4 n; G5 f, {( p( @7 f1 y. b
/ t. [+ P2 f$ J2 d6 @/ h# m__________________________________________________________________________3 }* _$ t2 u' N5 `' B2 c" A
* m! b) w% O9 C( S) eMethod 106 Q6 F: ^# F$ `& _5 r8 d' Q# `3 K! g
=========
9 ^6 V: i3 x8 V
+ l/ e: m; y; T, i2 q=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 ]7 Q, L, h% A2 ?) v' \, g# A' V SoftICE while the option is enable!!
4 x' X( \. x/ U6 F( g3 x
+ i5 h8 h/ H; A7 xThis trick is very efficient:/ q8 ]5 l, U* Y
by checking the Debug Registers, you can detect if SoftICE is loaded3 l' ~; r. B8 H& D9 o0 e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. n' n+ _% I: W9 d' B
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) e. l0 K% M" J* r( ^, ?value (in ring0 only). Values can be manipulated and or changed as well+ @. L7 {8 I( g; m
(clearing BPMs for instance)
; V+ C5 D6 L4 B7 T$ F! l, b( C; q' r0 Q; O
__________________________________________________________________________9 J4 Y5 A$ u& z" n9 f( G
2 S+ h# N# ^, B+ F. O; ^8 PMethod 11
6 d+ d, X5 L5 b2 E/ q4 E=========
& N; v3 q8 T6 m
0 a, }# w6 [0 ^3 zThis method is most known as 'MeltICE' because it has been freely distributed. b+ I3 Y7 D% s" G
via www.winfiles.com. However it was first used by NuMega people to allow1 R2 K S0 R* A0 h. c' |: P
Symbol Loader to check if SoftICE was active or not (the code is located! O/ C# G |" d" I. |
inside nmtrans.dll).
6 V3 t$ Y* o, S5 c# P; W, _$ ~, Z; o
The way it works is very simple:$ X2 u# i' M8 B$ _, \5 ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# g0 @ b% C; u" K* }, E. l7 h6 s8 bWinNT) with the CreateFileA API.
& F; p4 i$ O4 J# R! [3 i p# k# |) w5 z3 H( t, f- ~5 b
Here is a sample (checking for 'SICE'):
# [* r' f% g3 r$ F$ G- `# K9 ]6 T# I0 C' I% }
BOOL IsSoftIce95Loaded()
5 G" O. O- n6 E. ^4 C/ w{. i* ~8 N: J0 I, i3 q
HANDLE hFile; : E( z. t+ c. @5 B6 K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 ~6 O9 s3 l4 Q5 O8 u# x FILE_SHARE_READ | FILE_SHARE_WRITE,
. i$ O L4 I, R" Z& B3 G3 {8 T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' _/ m! ~2 Z, I, x# I+ T if( hFile != INVALID_HANDLE_VALUE )
& L9 t! T) N/ H, r& P. L {
. Y) O) d- x: Z+ u! V o/ E3 `/ }) E CloseHandle(hFile);
, \# b7 x$ X0 ~& g9 s; Y! v return TRUE;4 A. f3 c6 I, I
}
! J$ O* t5 g2 p9 ^9 n$ H return FALSE;
& {* ^% |; x4 {0 n3 y$ ?}
4 d; I0 ^5 {6 k! o. k- p" g+ C! m9 b" q
Although this trick calls the CreateFileA function, don't even expect to be; k! O. q4 G6 t0 I9 t
able to intercept it by installing a IFS hook: it will not work, no way!
' i$ V) o! f9 d9 T# ]. d. nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 O- F) C4 F2 P. g. L( R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 h! a) m4 B- i& a; mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" D3 V' t2 s7 ~. }8 x- ~/ Yfield.
* X. p% j4 ]: j5 ]In fact, its purpose is not to load/unload VxDs but only to send a + X: x5 T, n: \* ^- J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# v1 A( y- Y9 G6 `) g/ W' o6 Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: M5 l' d9 I0 O5 @$ A L/ ]# Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 G# k3 m2 r" d% {" {# W1 u: {
If the VxD is loaded, it will always clear eax and the Carry flag to allow
4 d J6 U. \6 fits handle to be opened and then, will be detected.
3 ]2 T* X0 @) H2 o. |You can check that simply by hooking Winice.exe control proc entry point
, Q/ g& E* c3 O# o$ Awhile running MeltICE.5 o; Q& h2 e: {' p1 L9 v* T3 l! U
9 @) P3 D- A5 k. G& H% V9 E+ z4 U' v. ~/ y3 v8 u7 D+ N/ q2 j: Z
00401067: push 00402025 ; \\.\SICE
4 \+ l( C& W7 ~% T" I! y, P 0040106C: call CreateFileA
5 ^8 B" S( V$ c- T 00401071: cmp eax,-0017 Q! ^4 \" s3 n+ H! T# R
00401074: je 00401091( U8 I6 b- \3 a3 f% x2 H) c. U
% j' p/ I6 ^' v; a" y6 P0 q
6 |0 T6 |9 x- L7 F ]! h" W
There could be hundreds of BPX you could use to detect this trick.
% B+ h& t& A, G6 S-The most classical one is:
' z1 ~5 S, }" C. r) Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- N" h! B1 q% E6 Q
*(esp->4+4)=='NTIC'
2 L2 i2 |8 f7 N% L3 g9 A+ y4 c
' o4 q- h+ R9 n- J6 b-The most exotic ones (could be very slooooow :-(. L5 P6 ]+ R) z* d5 e5 |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 W8 c4 c8 J6 M ;will break 3 times :-($ j" w6 q1 t+ U6 Y7 J
, D, U- p( ^/ A& s& R
-or (a bit) faster:
8 i4 ?+ |5 z# H' C$ I! F2 q, V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' _/ s3 W4 N4 x M: O5 T' c
, I- g* V8 U5 E, L BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 H v4 X" ~3 ?( _' Y; } ;will break 3 times :-(
5 |% i6 Q% ~- D# f
" h+ Q N" u4 I. i/ M' X-Much faster:) |4 r% J; z7 q9 z& m2 @ H) v0 h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ y# z7 h8 z6 Q& a _& U
7 M- O4 K S oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! a. l0 C8 r* U9 G! {, b6 L- }% g
function to do the same job:* `/ j, `8 |3 C) Z w! N T' e
3 p- n) H7 W4 o5 U! ?
push 00 ; OF_READ
; m8 K9 ?! v. E' o+ r; K8 w) A mov eax,[00656634] ; '\\.\SICE',0
( S5 N' }) Y9 j6 Z push eax
6 Z# C/ C, a- ?- p: J* d W call KERNEL32!_lopen
( Y, |, O* b# Z* F$ E$ Z1 Y inc eax: R9 L2 l' e- u/ P2 h, X+ |
jnz 00650589 ; detected7 O- W0 C+ O" X2 x" y% i0 h
push 00 ; OF_READ
2 m3 C* E3 z' @9 P/ X3 E mov eax,[00656638] ; '\\.\SICE'
3 C* f1 y/ i4 i$ Y% T \ push eax
2 _& N# ~1 m3 z7 L' F call KERNEL32!_lopen
* _% f; J1 G% W. ^7 _+ C inc eax
: N! M! Y- x: U7 E, W) D* b jz 006505ae ; not detected+ ` r" q& c- E, X$ M7 S
' h+ C: B% D6 D4 J! x$ c; D: ~& m4 K
% ]% |8 V: j& G6 ?7 p. C__________________________________________________________________________
! N; b8 j' U- O' x) w: |5 _
+ o! Q/ ` O |6 }* tMethod 12
; ?1 p4 `/ V5 E5 h2 v3 m=========
# S$ r! T' L5 b2 |0 ?6 E" m+ t: Q7 U& b3 q. x9 O
This trick is similar to int41h/4fh Debugger installation check (code 05
& X& T2 z9 L0 N" {1 V K& 06) but very limited because it's only available for Win95/98 (not NT)
; {# V. ~; l* P5 gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* _% g9 Q% l3 I0 U
; _! ~& Z- H2 J r; b+ l push 0000004fh ; function 4fh! z" C& L* `! `4 |. i2 \
push 002a002ah ; high word specifies which VxD (VWIN32)5 i/ O# c& g" T8 }0 ]3 y
; low word specifies which service( h- G Y3 |* L1 W( ^. T& M
(VWIN32_Int41Dispatch)
p! r F; x9 ^ {$ n- A5 p4 {' g2 o call Kernel32!ORD_001 ; VxdCall
9 |$ }, C) t# N cmp ax, 0f386h ; magic number returned by system debuggers6 i6 f7 p# d, L5 B" @3 L1 c
jz SoftICE_detected a, b% S+ ?- _1 g
q* R1 A5 o( N- ~# V! N
Here again, several ways to detect it:
+ P3 M/ z2 F, ~3 c1 r" _4 |* S$ h9 Y- ]6 [2 a \2 G+ [7 a& ^$ d7 h* w
BPINT 41 if ax==4f; w- _, l% x2 Z, ^% z7 I
" q4 n& c7 k1 e9 o0 o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 @5 u9 o8 k/ M" u1 `% L7 R) j& A
5 C2 `4 r' k" r7 w Q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, l3 i. g4 o0 P$ q' |3 C- u" |) o/ }* Q: m' i1 r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 x& \9 t) a- E$ k) _# G: g- q- K% }; u
__________________________________________________________________________5 {- f3 F) ^- O$ b; m
! ?4 @$ Y- u$ T, U% T
Method 139 I9 d+ \4 g9 P* G
=========
- f5 G9 s* ]* I w" j4 M7 n7 ^- W0 ?& O' K, a
Not a real method of detection, but a good way to know if SoftICE is0 l" D* m+ [) k- y9 S" _
installed on a computer and to locate its installation directory.
3 Q/ W! M5 ^+ f" j. { lIt is used by few softs which access the following registry keys (usually #2) :
5 D) M$ m8 c& G' l p b
- x* R- W- Y W% n% y; ^' j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" P7 w" u3 @2 N2 }7 G; C\Uninstall\SoftICE: @! p7 K1 H- h5 m2 L8 ^ r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
a$ h+ ]% v4 D4 o-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: R+ w* `, | n3 W8 q9 t' P\App Paths\Loader32.Exe
" ^# v; H. ~0 A
: |0 j+ z8 v, y3 J! z
5 T3 S: u% h3 q# T6 n. }Note that some nasty apps could then erase all files from SoftICE directory
4 [* ^) |) m0 m% I. r2 d4 Z, f) o(I faced that once :-(
5 \& e. U) x2 g- O; A3 n0 W8 j
! H; Q2 K/ x/ @! N2 dUseful breakpoint to detect it:. y$ J l' P6 X3 ~9 \
! Z* V' v3 J% b s9 e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- v& P9 b2 l2 K2 ~4 ~* u
5 ?( V% M, n! y1 ^__________________________________________________________________________5 b5 F" {& a9 s* v7 b3 b; a
" ^5 ^" s. U" X
. R* l- g6 y! Q- n$ EMethod 14 5 {+ K5 F) I6 b
=========! r# X! |$ `4 V) n+ u8 S
- E& t5 @& B" R* \+ C' [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# _- H8 C1 [; W% ?# H& U
is to determines whether a debugger is running on your system (ring0 only).
# G9 h( i1 U: \' X
" _) T! e3 R. d* } VMMCall Test_Debug_Installed' F1 s2 v2 A5 i4 ?3 z, i
je not_installed: }- y& L6 [- b' {6 A' M! Q1 M
# y2 b( ]3 O, b8 Q# n4 O* E; [6 S: aThis service just checks a flag.' x; f( Y( Y/ f z. G9 y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡