<TABLE width=500>2 I6 T1 v2 M* A* I& L8 |: y
<TBODY>+ A, m: ^0 \; A) C' Y
<TR>
, g0 P) o- a5 s0 r/ q<TD><PRE>Method 01 ; H: c4 e! G! ]$ M; b- A
=========
& U) [0 {- h, v
9 J9 T: I5 |0 u+ YThis method of detection of SoftICE (as well as the following one) is% W ]9 R- E6 c# W
used by the majority of packers/encryptors found on Internet.
C/ y' |# u4 H# h$ }% lIt seeks the signature of BoundsChecker in SoftICE, C+ n, T4 v1 ]
* j; |$ {8 r, L4 ^0 S
mov ebp, 04243484Bh ; 'BCHK'6 i6 ^9 a3 |! J4 u
mov ax, 04h1 q4 ]8 S2 `# T/ _+ F: {
int 3 # {) \ Y* |) K9 J- ~4 J
cmp al,49 \6 T5 k! M/ s& |! m
jnz SoftICE_Detected7 y0 |8 q# Y: G. R9 H1 a
! V$ A- ]) V" y+ N5 H2 x* E
___________________________________________________________________________# {2 o! p% w z, Y& x. C
) ]& d# W: ]6 NMethod 02
5 ^; D! e% Q# [, ^+ C=========3 q0 G- z+ }! ^( o* S* ]
* | k( U8 W% L
Still a method very much used (perhaps the most frequent one). It is used) A( p5 K/ W* S# i0 H. [
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ H; W# B F+ Z* w; ~or execute SoftICE commands...
& v" T6 n* A. ^' h5 b* p, wIt is also used to crash SoftICE and to force it to execute any commands% |& |% Z+ ~3 x# O
(HBOOT...) :-((
, x' M8 H; u" _5 x
% d( |; m# Q/ k: k& s) AHere is a quick description:
- y/ Q! @4 S, O-AX = 0910h (Display string in SIce windows); S0 x4 n7 w2 Z/ T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 _2 ?4 X1 \! P! J: }; m0 y- X-AX = 0912h (Get breakpoint infos), X0 P+ y) w' f C
-AX = 0913h (Set Sice breakpoints)$ ]; V; [8 ?" e# q% x
-AX = 0914h (Remove SIce breakoints)( N1 d7 [' Q) D+ ?+ ?
, q4 y4 b' {" _% _4 u. `
Each time you'll meet this trick, you'll see:
) o# j' W9 P2 B2 Y-SI = 4647h
- Z. @5 |. h0 ?-DI = 4A4Dh
- \2 Z5 v: y+ w+ b- }. E6 n; IWhich are the 'magic values' used by SoftIce.
8 q" H+ {/ n2 W- a% u5 x* z0 jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ l9 H Y' j w' [6 ~, p
2 \( ?8 R6 o, R3 F, U2 VHere is one example from the file "Haspinst.exe" which is the dongle HASP' C& y. H/ S8 _- u
Envelope utility use to protect DOS applications:2 ` m. [8 Y" x F) y* H. V2 W7 u5 a
# \& \, C" ?, u/ u
* W }; e5 ]5 @ J& k; V
4C19:0095 MOV AX,0911 ; execute command.
' C0 ^$ U$ ~" v/ C S7 S) K$ y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ K* J" c3 f! a% I& n5 V |
4C19:009A MOV SI,4647 ; 1st magic value.' U. X0 {* c: r, p8 ?/ e3 \
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ j$ n- X6 n+ a' O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 W! Y% ~5 w4 `- N* l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ @2 w3 s5 k! N4C19:00A4 INC CX
) z" s; F- @, Y7 o7 V4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 b" h- V, k- S9 l. f2 S/ X
4C19:00A8 JB 0095 ; 6 different commands. v. J* s) H% W; X$ E. Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ [: V( {' n' T: G: k X4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 s7 s# }( v# I7 L) v
, b3 v# w0 F, ]The program will execute 6 different SIce commands located at ds:dx, which
+ [) U7 _) y( p& n, Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% Q# Q3 O, N% Y
, _% t7 p7 f, y m7 S/ B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. K* X) R% P4 A; b) ?
___________________________________________________________________________
7 P: w+ m- A5 u3 P" `7 r; Y8 A! o3 B2 H# {: I+ \7 x7 `& \: N
- o% \+ J0 @) T% s, ^% c3 v+ Z. OMethod 03
7 S7 n N$ c! ^& g=========
' d3 D, T, `7 H
7 c5 i# q, {9 T. s0 W4 H u" sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; x. M7 Y+ \4 L9 K2 l; t9 {(API Get entry point)
2 y# [, Q- l& A' @3 X# u1 W
S& q9 P3 I+ y/ r
: S C& B2 E# Y# K( t xor di,di
" o0 j, u3 x4 [2 r# ]: A mov es,di
1 v% ?) U( r$ U1 m; T# `! q f2 F mov ax, 1684h ( ]4 t) \2 m# n" i8 P, o
mov bx, 0202h ; VxD ID of winice
6 h' C3 T! @, u# k int 2Fh
8 K" k' m' D) Y( t. C0 S. g mov ax, es ; ES:DI -> VxD API entry point
) c* z+ j) I* C7 G* f- y" W* @( H add ax, di$ I) f+ s) B9 s
test ax,ax
8 M6 T( T, x, M0 Q. Z4 d jnz SoftICE_Detected$ q2 Z% N/ g% b6 f& E9 C
6 j g; @2 ?2 h) v; ~9 `8 k! m) P___________________________________________________________________________
+ |% x1 L) B& z: s3 C" ^3 c# L0 @0 X6 ^5 ~7 C( e( y
Method 047 y' U$ V* u: q2 D4 s& ?: C
=========. V2 d8 C6 T$ [7 R6 [
0 p9 Q( P% T$ V, Q) t9 m7 b
Method identical to the preceding one except that it seeks the ID of SoftICE% T' X3 a0 u: Q# Y( q0 h/ L9 \
GFX VxD.8 T/ N( v, w5 [& i9 S* m
& @' g7 \1 b. e3 X xor di,di K) X' v( j( x% w
mov es,di. L4 o$ b! i0 v# E5 d; ~8 Q
mov ax, 1684h " k% z5 J6 q4 m
mov bx, 7a5Fh ; VxD ID of SIWVID' X/ X) Y. H7 q) t) ~
int 2fh
6 O) {# k' ~0 {- A9 ~2 }' g mov ax, es ; ES:DI -> VxD API entry point5 d4 Y7 q4 k. ?- i& S% {' W1 [0 v
add ax, di
, e& j6 R, Z, p, b. F test ax,ax& R+ S" [/ A* C
jnz SoftICE_Detected9 {2 f/ K* t, t! U7 S- B3 C
8 [4 S/ ^" i4 ?4 x8 g! ?__________________________________________________________________________# _# x1 ]" `7 Z( I, ]1 B8 U& Q1 K
' y5 s7 J4 M* i1 l( w" @' n
6 Y- w) t( P6 ?5 P
Method 05; w5 A: f1 ^5 I4 h' E! M
=========% H/ c6 r' N4 o, o8 X( g# X
/ R) A* M& [% e$ P4 \; B& _Method seeking the 'magic number' 0F386h returned (in ax) by all system$ K# s0 E5 ]6 [, \; N5 V' W: h7 x
debugger. It calls the int 41h, function 4Fh.
: y( D( I0 p. ~8 c& C5 h, yThere are several alternatives.
4 }. W2 ], E7 B E7 @/ v
$ t$ i3 j# e9 U( W% W2 b ^4 n! M& hThe following one is the simplest:5 E, l" s% Z* B
/ X3 b$ S7 I7 b8 i1 b
mov ax,4fh
7 C! G4 z) k7 W& C8 @) v2 ?9 m int 41h
. P) h5 G$ A8 A2 w8 f cmp ax, 0F386
" Q1 U. l( Z4 s5 V jz SoftICE_detected
7 }) E0 A0 [0 m
0 a2 P% N8 T% F3 s7 ^% G% }0 f
8 k. f' v! z. j& U$ U0 B+ HNext method as well as the following one are 2 examples from Stone's : Y7 k( h$ R6 k( m) }( `+ h& E
"stn-wid.zip" (www.cracking.net):2 Y. N( ~; G8 x8 F" {1 @/ X& v
6 g; U3 f2 K4 ]4 r9 N9 h6 n* T2 } mov bx, cs( ^; p4 y" J+ B( Y/ W
lea dx, int41handler2
/ }8 _# \- i7 f8 V9 T* [" _. ` @/ h xchg dx, es:[41h*4]- {8 P( w; t( G+ R N4 l& {
xchg bx, es:[41h*4+2]: l- D- n4 c& K7 y% H N- [
mov ax,4fh
& q# m( l1 g' ~' s0 C5 L7 g int 41h
+ M1 t$ v; E$ y( F- J xchg dx, es:[41h*4]
2 T, ?1 x" a8 d- Z7 `8 v$ d xchg bx, es:[41h*4+2]
m9 ^" M" @3 }$ i- U: M; R cmp ax, 0f386h
( _3 g$ h% Y; J* e- I4 w/ { jz SoftICE_detected3 Z3 ?7 h0 Q- z
# z/ p% f2 S( W" U( Q7 K, Yint41handler2 PROC
. V9 a, c6 P; T, ~+ c iret
! w, F: q4 q$ e3 Rint41handler2 ENDP
& m% H8 b) i; p# X
) T1 z" K( x; A1 o' b |3 N
6 d6 `5 w2 S; B+ G) |" d_________________________________________________________________________
1 |+ p% _1 N2 `7 z( k# Y9 f+ c& v/ w9 Y$ g& p$ Q7 \
5 k9 i+ d, R, D" q) `: Z q" v
Method 06
, t Z% z. C# s: ~3 o=========
1 D0 |5 a5 Z6 `2 v( Y: T
6 i$ S- K; C6 q/ A2 Y. R4 `% l' ]4 i# ~) o; I# t: ~0 m5 m: ^
2nd method similar to the preceding one but more difficult to detect:$ o% s6 U6 G8 u
& p6 _( o2 C8 v: r4 l% ]
* [$ h" r0 u) X* \ Zint41handler PROC
4 b( j! a6 J) {/ [ p% K9 q u mov cl,al) }' V7 u4 C' S$ w( U! Y& }
iret% E- I+ L4 M9 P+ C
int41handler ENDP/ Y3 h3 G' E' i. m) S7 `; k
7 C: p1 x& n a( o( F
* G5 O& n% ?; f/ [4 p- x8 i1 c* C% Z xor ax,ax5 M1 S9 N4 t {
mov es,ax$ I6 f- `! s' |8 [7 u! `1 W
mov bx, cs2 [+ H8 Q2 a! o$ E: I4 ]
lea dx, int41handler" v, g1 K3 H, a6 q
xchg dx, es:[41h*4]
m: X$ P1 M' z* Z+ { xchg bx, es:[41h*4+2]! _; N4 ?5 i6 e9 A
in al, 40h
5 j7 t, z9 j( H2 k; }$ x xor cx,cx8 D7 p2 ]( R& ^5 e5 A+ x. g( R F0 O
int 41h
, A( }1 f, A5 i& s xchg dx, es:[41h*4]
. Q+ \1 q' c, b1 o# f9 P xchg bx, es:[41h*4+2]
( p3 B1 t6 Y2 |9 ~ cmp cl,al
: O& d0 e0 y( u4 `2 a2 A/ j jnz SoftICE_detected
. o" _0 A; c* z+ C' d- s2 U! w l; ~0 x" b# [
_________________________________________________________________________3 H6 J& g. C- u Y
. `8 o! w" V: E2 Y* r+ p
Method 07( K" f/ u1 A# M) t5 h
=========
% L3 x( _, J5 r2 O9 ^, s- O9 d5 K* s$ I! d' Q x
Method of detection of the WinICE handler in the int68h (V86)
) A4 P: }7 m7 a1 H& j. O; k
/ |) L& T6 V Z2 m8 N7 H, u( F0 } mov ah,43h
& E( Q( q2 a2 h' Y V int 68h
* X a; A3 w4 f2 B# ~! g! |) n$ v7 h cmp ax,0F386h
+ k# l- g7 W+ c4 Q+ i* r jz SoftICE_Detected- W$ s* K2 S+ k# r
) `9 C- Y. I1 J6 ? q3 A
6 W7 M$ B( z2 I; @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* A6 b7 y- i; x9 U" J, i' r# l. ^
app like this:8 R* Y; `+ R+ U$ q
# y# V, }' i: k
BPX exec_int if ax==684 O q, v+ Q0 K: a, N7 K
(function called is located at byte ptr [ebp+1Dh] and client eip is+ G5 ~; [; j( ]2 ^" Z/ q3 i4 {/ U
located at [ebp+48h] for 32Bit apps)
" n) L* p5 R% w9 A- z__________________________________________________________________________
C. b/ t+ `$ Q) v1 x) [+ I# c9 o& H) g7 D
* B- @8 E4 N! p" K1 `Method 081 ?7 R) y- t+ e6 z
=========
4 c& I8 H& n" h3 l' S
1 X$ Z3 g' a+ q" ^2 a8 VIt is not a method of detection of SoftICE but a possibility to crash the
1 i' p1 s/ V. h6 P7 ssystem by intercepting int 01h and int 03h and redirecting them to another0 b( ?3 s: b, j0 [
routine.% i8 @- N3 b7 I' t7 K2 H3 q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 R4 I9 z- |' U- m- i- lto the new routine to execute (hangs computer...)
r$ P$ t) u, B2 \$ E+ I0 V$ t X
0 {3 W, f/ m+ z5 B# y0 o mov ah, 25h) R. @/ u. e0 z( p8 G- x# t6 z
mov al, Int_Number (01h or 03h)
% o/ X2 E& z y9 h mov dx, offset New_Int_Routine2 D* o; m0 w$ G; A
int 21h
( d u* i- I, H" K, X8 Q: z2 M5 H$ m4 _
" ^& V( d* s8 ?0 ]- P__________________________________________________________________________
' T; b$ r) e/ S( V X; @$ Y$ `& C
5 P" x4 x0 X- a, Z9 lMethod 09 J; o- j I4 @5 {1 [
=========
& l5 z7 G1 {5 g! d+ b+ c* y8 W/ o0 b" H i; B' o. N% I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 d) S5 U% ~9 ^1 [3 ^. W7 t: _performed in ring0 (VxD or a ring3 app using the VxdCall).
w2 v% B4 a; h5 cThe Get_DDB service is used to determine whether or not a VxD is installed
# Z2 g, ]! _1 d* B ~5 Rfor the specified device and returns a Device Description Block (in ecx) for+ M8 o; P" e7 J5 y. w3 [
that device if it is installed.9 ?: D+ l6 j) K. ^5 V, T5 F
: F; h9 q9 ]8 h8 f4 k' }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, s, a* `) z/ `7 r7 z5 v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 s v! c4 A6 z* X! O VMMCall Get_DDB* M% {" A+ |8 k t X0 ?$ z' Z. B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 E U6 I, H7 o( r6 Q, `# R
l. N# b+ ~- Y+ N$ {8 _Note as well that you can easily detect this method with SoftICE:9 {& ~- g2 ?% e% t, N* R
bpx Get_DDB if ax==0202 || ax==7a5fh
( _' E) [: a7 }- E" e5 g7 Z% ^4 c1 h3 N0 R3 d( v" t) H, [ B
__________________________________________________________________________
+ b% v h, K0 ^. h }; U2 r! M
; G* d0 P" t' r7 w5 T, p- u6 nMethod 102 m, n8 t4 `4 `5 h
=========
% B" s! {! \! j- ^$ C$ e2 | o3 E. Z5 P! ?2 L3 }$ V
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" J- j) b. p7 A6 S/ y& Z SoftICE while the option is enable!!! [; x5 r( n; M- L G
1 `1 Z3 o2 c+ B6 o- ]& ^- PThis trick is very efficient:) t* A. A; u1 T8 ]
by checking the Debug Registers, you can detect if SoftICE is loaded5 a+ B3 O& O$ ~1 _- E- o7 g4 v2 U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, N: H3 u, H6 b; q& G! I9 Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 n3 ] Z6 c) f
value (in ring0 only). Values can be manipulated and or changed as well( ? s; E, U4 \ Y D
(clearing BPMs for instance)4 u2 S. L+ i; v. ]3 p3 X& o$ p
7 W) t& M( p% J+ {3 w$ D
__________________________________________________________________________
; j6 s% ~/ ~5 z/ C" l% `3 K
& B5 @+ k4 R S! M) eMethod 11
; a# e; Y. z, J8 \7 q7 _) K=========" Y* v& S! x( X% d" ?0 A' m$ w+ p0 {7 T
1 x& {4 y1 [+ f
This method is most known as 'MeltICE' because it has been freely distributed4 \$ {6 e0 i5 X4 R3 b
via www.winfiles.com. However it was first used by NuMega people to allow3 _" V y3 ?. V
Symbol Loader to check if SoftICE was active or not (the code is located
, `0 t! w2 \9 rinside nmtrans.dll).
! o4 ^; [- A2 G# I( v; R. u) C; i; J# N. k0 o
The way it works is very simple:5 U# y- a# d. _# q, ?0 A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! l2 Z% J$ L( B' J
WinNT) with the CreateFileA API.+ A" a$ F% |9 c' I# N
2 i3 i1 d" ~2 G5 q( N V, k1 [
Here is a sample (checking for 'SICE'):
# t5 D; Q5 h4 L+ _7 P1 B$ {9 E; ]8 B5 M1 t) D
BOOL IsSoftIce95Loaded(); Z- {( d7 j0 P4 d
{/ j" }; G9 ]8 j, a# t3 I' _
HANDLE hFile;
( W% B+ v6 I" D* I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% `# N2 K6 x! }
FILE_SHARE_READ | FILE_SHARE_WRITE,+ m4 j! `! {9 l& F+ d! r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 Z l( p8 i* h if( hFile != INVALID_HANDLE_VALUE )
( F8 M# J5 ?- m* K! G6 W; Z0 x3 a- ? {
9 F x" S* e- z7 _) J% u t CloseHandle(hFile);
0 T7 y m0 k) u" ^7 N return TRUE;
' _6 P5 T ] Z! l }
' ]9 R+ g6 a$ {6 a% d1 u return FALSE;% y, `; I1 F7 O! g' n5 W- D
}9 X9 {7 J/ X0 h6 E% ^+ e, Y
0 R a; B* s. R
Although this trick calls the CreateFileA function, don't even expect to be1 }9 c- N% q3 W/ H, f7 o2 }
able to intercept it by installing a IFS hook: it will not work, no way!
0 k1 b% v3 U* Z6 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 C! x& S, H9 S1 kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) N5 |; f. Z3 Y1 N6 g1 [6 }8 mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 B3 r* @! Z# D G; yfield.
4 Y7 |& t" D" T8 E0 [In fact, its purpose is not to load/unload VxDs but only to send a % d& \1 F, q9 Y6 \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ ^3 v0 ?- a5 Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 l3 }7 s& D4 r' S% x. m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 I4 O9 T' d# T" k: I" IIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 v/ z) D5 v; S* T3 e2 S$ N
its handle to be opened and then, will be detected.
6 ?6 Z9 M" ^4 n5 q3 WYou can check that simply by hooking Winice.exe control proc entry point6 M9 Q1 w d4 S7 N: s+ o2 C1 c
while running MeltICE.
5 E, n! w. Y6 W7 y2 }, ^& R- Y3 Q7 K( e: `9 `
- l8 `6 f$ E; g, l6 }6 X 00401067: push 00402025 ; \\.\SICE" j( K/ f$ i! t' e9 b1 n
0040106C: call CreateFileA4 c( {+ o) `0 }; D4 V
00401071: cmp eax,-001% s) r! h N& E
00401074: je 00401091$ ~+ l+ r; ^6 Q. i1 ?, A8 \
+ a9 v$ I9 `, D
: s. |, V M" O# i
There could be hundreds of BPX you could use to detect this trick.
) W( b( K8 G3 V5 e-The most classical one is:- P9 I% q g3 X5 @/ t: i# @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 [3 `; K: b3 K/ w
*(esp->4+4)=='NTIC'9 H, W. u" |, f9 t% _
( s) {+ N0 ~( b. D' m
-The most exotic ones (could be very slooooow :-(
3 c' o- c# N: g2 u, L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') [' L r" \9 J" X
;will break 3 times :-(
# {* H4 [: ^) R/ i
2 d. I7 S; _# B X7 l-or (a bit) faster: 4 K9 {0 q" b( z) F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') E' ]! T- f) {. j! Y
! m" D- O! u7 A4 g& @+ v+ ]
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- G( [( s* y" Q% }3 Q. Y ;will break 3 times :-(6 l1 t+ P6 g: I% _3 z- j
1 b& V* }/ s8 \% W-Much faster:; q8 Y$ w% K) O. X2 r! D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; t. _& z2 e' m; y5 Y- t p( N$ n- ^5 _. w; H& S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& p8 x, f3 x$ ~- t+ K
function to do the same job:2 ^% x4 S( A" U6 y
$ B+ R: g8 `1 r1 v$ i8 {- N5 e) k push 00 ; OF_READ9 H1 u7 h6 ?7 b+ r, F' |
mov eax,[00656634] ; '\\.\SICE',0
$ r* B- f7 d4 f* @7 R: a push eax: @( g( q$ J$ C* `' ^. L
call KERNEL32!_lopen
/ W' W- {" R1 s+ ~; R0 L% F inc eax" A0 ~% r2 Z. G, \7 q( R, Q5 g
jnz 00650589 ; detected
, \8 x1 H8 d# _5 ?! W; _3 | push 00 ; OF_READ* ` E* j& n2 s5 ?) h
mov eax,[00656638] ; '\\.\SICE'4 U( a( z4 Z. ]: m* G L2 I3 r
push eax/ F' ~9 h' a. K' |
call KERNEL32!_lopen+ {* a: B, y* S9 X
inc eax N" d( i) J# ?9 n* Q; S
jz 006505ae ; not detected/ T4 T8 f0 [; u/ x& c" J
8 r1 f A' a2 F3 k
# _" M S9 O, W$ f4 p' V3 V2 F) c
__________________________________________________________________________
}: {6 {) a+ w, T' z, a+ T H9 }# t9 q) s8 `- L1 L% I
Method 12
+ c" w6 q: @# c4 m6 r, Y& B=========2 i; I7 z# f( K- M& Y" U
& R+ K4 G+ f" G* U$ hThis trick is similar to int41h/4fh Debugger installation check (code 05
- O' x! T, A9 F: k& 06) but very limited because it's only available for Win95/98 (not NT)! z( z3 A/ Q; s! h! [3 L/ l1 j" h1 N7 x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ j: r2 Q/ b4 G( U7 f" Q e$ X4 v9 K( `& O `9 @7 L
push 0000004fh ; function 4fh
5 B" e. c6 r5 R2 z3 W push 002a002ah ; high word specifies which VxD (VWIN32)$ w! o: J7 r; i
; low word specifies which service
) S' }! }' [4 G4 v8 A# J (VWIN32_Int41Dispatch)8 v8 P# v2 g4 A3 L: {6 j$ P: V: S
call Kernel32!ORD_001 ; VxdCall' o6 a! Y5 E2 i" X. e* M* e
cmp ax, 0f386h ; magic number returned by system debuggers
, Y: b) _5 j9 Z6 d) F- ~& g4 N jz SoftICE_detected
. k" Y9 \* H8 a: B& s
% Q4 J* N/ h6 f( o; O& oHere again, several ways to detect it:
, i% {7 }! {& A. c8 K G2 h) w1 l4 J5 R1 |+ k: Z( Z# V
BPINT 41 if ax==4f+ A% D* s# x; W S
% p7 n( l0 a. Y( T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. E' c6 P2 `; F; `7 m9 P
( ^- E" D. M2 F, Z6 ~9 @( X- I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! m6 y ~) l P, k8 [: b
8 [6 @+ u0 {- c* Q I# j
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! y" O7 Y/ X# n- `8 v
- P7 f- w, v7 \/ \) Q/ J: a) p__________________________________________________________________________" a4 a9 n- L6 O3 g2 a. a
4 W; L6 f- h- l$ e' {
Method 13' l. b; @& o/ |0 ~" ]* d
=========
! r9 p; C# ^& n1 n3 ?, J& D
% n* [$ T @9 j \Not a real method of detection, but a good way to know if SoftICE is, l/ X |& K1 B1 n$ P& U
installed on a computer and to locate its installation directory.
8 U6 P# }8 H [6 D" w* ]It is used by few softs which access the following registry keys (usually #2) :
4 m- E7 X4 A! L, R: n6 T2 v& w: I- v& [" e$ `# l9 d) w7 o2 X1 E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 n6 c. |) R1 b! |: W; U) Q
\Uninstall\SoftICE3 |5 Q( U) G+ G. j( O5 Q0 K/ s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* f4 {+ Q" U0 x8 Z2 Q: @9 l E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
F4 B3 d5 @/ _ K8 R\App Paths\Loader32.Exe
% A1 c" y( T& t8 D& F
7 y8 C0 |1 w+ P3 Z5 p/ ?0 X0 f1 L( s7 a$ X6 M; p; c
Note that some nasty apps could then erase all files from SoftICE directory0 L0 s3 f* B8 y/ G+ z `8 N; ~
(I faced that once :-(
+ m% o7 y1 T4 A5 `% f" d9 o
. G% h7 p( Q2 l: ]( F$ @' X1 P" q% s% {Useful breakpoint to detect it:' d5 F* B2 ^% N. O( j) G
9 K& L* q. w5 c8 u, ?5 G& ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# O9 x7 t9 Y B2 G; [, K" Z4 N2 _& }7 ^
__________________________________________________________________________ V: z( Y8 ^( r# S
2 `' R, P2 o0 q/ V5 {" k2 A2 R
7 x/ Z K+ f* T5 }3 b7 X
Method 14
2 H# \4 Z* u, o% l: {* ~=========3 D0 ?" g7 [6 b( d- {
) h- J1 E( G3 N1 ~ kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 t8 w6 q& l( m1 E0 E) o( q- Uis to determines whether a debugger is running on your system (ring0 only).
$ j/ S8 X9 I: L: x6 x- v) m4 Q' {, o: l; N% E+ v
VMMCall Test_Debug_Installed
8 d) K$ V3 z8 Z# [8 |3 F% k* i3 y je not_installed' e7 L+ ?. m9 [2 ~
+ u/ U; _# m! S3 b0 S$ T5 _7 W9 KThis service just checks a flag.
. c9 G1 ^) H& Q/ i8 w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡