<TABLE width=500>
4 L) |8 q* U4 D+ G<TBODY>
1 B4 A1 ~8 X; C2 [0 g/ G<TR>4 n% Z3 s6 m7 \( a Z% p. A
<TD><PRE>Method 01 $ s% G$ V2 r! Q9 v( b B" \: D
=========
/ h; o/ |# V6 q8 c. }; \( f
$ H) J8 K e6 ]1 b1 P2 d9 C0 }This method of detection of SoftICE (as well as the following one) is
5 u, b9 C7 O/ u- S n$ L( eused by the majority of packers/encryptors found on Internet.4 f& q1 Y$ [4 y8 n0 H) j( b7 g- `
It seeks the signature of BoundsChecker in SoftICE
! W+ K3 G9 a# n4 v% |6 n& j5 V1 Y8 J+ V4 Z, S) U E9 O
mov ebp, 04243484Bh ; 'BCHK'$ Y) Z `1 M4 {3 y
mov ax, 04h
! R: c) I; T. z* F$ H4 o( z6 r int 3 $ W* B- _2 `& ~: r3 }, X1 [
cmp al,4) q+ v+ P/ }; k$ o3 g1 B
jnz SoftICE_Detected) L5 v+ R9 H+ i% W
5 i' R: U8 z6 W: ?% x6 O; O6 x4 D
___________________________________________________________________________
. z9 {4 P8 ?% V1 Y2 \- `5 F+ s+ @2 S- C% d8 [8 G
Method 029 y# P, }6 {3 A) f; C( l
=========$ O* X( q U m' c9 o
- R; ^: h4 v ?) I$ o5 IStill a method very much used (perhaps the most frequent one). It is used: k3 s* _. n, ]( \) [
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, {6 Q9 A/ `5 j7 ]8 x
or execute SoftICE commands...3 i6 Z& x; y j) f3 F) y6 g. \' G+ Q
It is also used to crash SoftICE and to force it to execute any commands
; d' S5 s5 i9 \# S(HBOOT...) :-(( 0 I9 B- w0 Y$ b1 R! v/ Q
$ i% i; A5 h# c' b' _7 THere is a quick description:# \5 \( B* h; J
-AX = 0910h (Display string in SIce windows)# j# C; R. j* p+ i9 J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 V9 n* q% W$ _& h* j8 b8 r
-AX = 0912h (Get breakpoint infos)9 G7 W9 l, z/ a5 H) t' x: N
-AX = 0913h (Set Sice breakpoints)
8 y% v. ?! R5 Z7 n: K' T5 y-AX = 0914h (Remove SIce breakoints)" {, W1 Q8 d+ ? D
: \7 W* \ l, l. jEach time you'll meet this trick, you'll see:
/ P& T: ~: W9 L6 ?9 n. p6 }-SI = 4647h9 c. b! B- \% R% h$ v4 k
-DI = 4A4Dh x* q+ |6 \* Z5 Z; p" C
Which are the 'magic values' used by SoftIce.2 x; m1 ~/ Q" a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 |/ a/ q2 |3 k1 [8 D" f: k$ X7 Y: J* a) U4 d" e
Here is one example from the file "Haspinst.exe" which is the dongle HASP, v% s$ Z0 z+ G2 p* S
Envelope utility use to protect DOS applications:0 ^" W# C; b6 m1 t$ y" D: x/ Z6 p
* V: `: |+ l+ C2 U) A, m7 v
5 ~$ T2 W3 R, Y$ V/ l4C19:0095 MOV AX,0911 ; execute command." u9 y0 _' G3 ~; X; }. z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 V5 M9 Q0 [0 o6 }" L
4C19:009A MOV SI,4647 ; 1st magic value.+ D& }' c5 S/ a0 L- T0 d, M, G1 S6 w
4C19:009D MOV DI,4A4D ; 2nd magic value.
* U: ]/ X1 r$ E6 e: |5 h3 E& N2 x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. w4 N) h/ k, c+ ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
`$ S" p& }& ^: C; |, U+ H' c$ T4C19:00A4 INC CX
p8 n3 Y) i3 T# Z1 m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 T4 L" l# S7 \# |7 n
4C19:00A8 JB 0095 ; 6 different commands.
2 c. p+ T" g& R5 {8 F& b4C19:00AA JMP 0002 ; Bad_Guy jmp back./ j1 U0 @3 P- @' t8 Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 m( ^# J @9 F& Z
X# p6 `4 B/ n# x0 X6 ~# q, N" Q% w9 TThe program will execute 6 different SIce commands located at ds:dx, which# i/ ?3 Y/ `, N4 M' c5 V4 w, G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% }) z3 I' Z8 y7 y8 r
- d* B/ O/ I9 r9 s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 B6 `& B. s& V' N9 O
___________________________________________________________________________& s: X. o( r! M9 c
: Q" ^9 W2 g' O; e. R# |, I6 _. p7 F
Method 03
' F, v* N+ K! \' l3 _5 q=========
5 d! z. M3 W8 i& U) Z7 e
. K2 ?3 O5 X$ }$ A* T; tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 X6 ~+ b$ F2 y- D
(API Get entry point)
' C- T% I+ i. ~ j" N1 m1 S # R2 }, R" ?; h9 F. E0 I |
0 Q6 {$ G9 e5 D. F xor di,di
: i- [ k, ^& X mov es,di1 H+ S( ^4 N. m+ H
mov ax, 1684h
: \, d% l7 R- \. d$ U1 t) i mov bx, 0202h ; VxD ID of winice* K$ v* I, l( a& ?
int 2Fh
& K z* M) l' K' \% c' V mov ax, es ; ES:DI -> VxD API entry point @: A6 z6 l' E+ g4 Y
add ax, di
# t3 k/ Z8 @# E' h1 z% } test ax,ax
0 r" o* o! F! I7 k jnz SoftICE_Detected
2 O1 k1 S" I' Q3 [7 Y) g3 m* W
# h. q; b" H8 B' N___________________________________________________________________________/ ?# i9 H7 y3 z9 M
6 q, P% G& e4 u6 i, ^, ~3 bMethod 04
" a) b8 o J# p# k; b9 {=========( I: d7 R3 d3 J1 N" w* E9 z: n
( S, }, F; C6 a8 {
Method identical to the preceding one except that it seeks the ID of SoftICE
7 J- k* Q2 g+ l5 eGFX VxD.% W, b: A6 G& R
! J0 V8 L: g! [ y xor di,di
! |' N1 n+ g: p; K8 M4 q) G& F mov es,di
: v# J6 \# c. z% i8 @6 U mov ax, 1684h + \+ V% H6 q" P$ I2 S5 |* {6 t$ _
mov bx, 7a5Fh ; VxD ID of SIWVID% F( ?8 U( T. H. @) E2 X/ U4 n' [. I
int 2fh
7 \9 `3 y& X. d9 y8 V# {4 G/ J mov ax, es ; ES:DI -> VxD API entry point
+ I# I& d1 r- y add ax, di
6 Z+ C6 ?: `% Q test ax,ax
2 }! l; V" l; z' P* V- ^ k: t jnz SoftICE_Detected
' A* q; O4 v* r: [- X. X0 a% T6 }' _& F! J$ g
__________________________________________________________________________' D5 m' L1 s/ f# i* U5 D& E
5 Z% ]' o& h& O6 X0 {0 f* }2 _ J; r9 R. x
Method 05
4 R( B5 D1 Z) g6 e; v=========7 y% m: O, U( b' p1 o
0 E- j' d f6 ?; E/ F }9 I( DMethod seeking the 'magic number' 0F386h returned (in ax) by all system& ]6 R; a! Y7 D$ K* I6 O
debugger. It calls the int 41h, function 4Fh./ Q, }# X" Q/ m$ J
There are several alternatives. $ x5 v% F1 g8 \/ N: _9 D/ d
+ v3 i' V2 t& `, K0 ?
The following one is the simplest:
1 n- N8 J1 C' V; o& C5 \
3 q- }/ x7 v4 s/ E# { mov ax,4fh
0 |" B4 y, f& P7 ~" z& v0 R int 41h. ?8 ~3 l/ `1 \& j2 B
cmp ax, 0F386
9 j0 s( |' i K& K7 C! A jz SoftICE_detected3 z. @; {& @ ^8 f! A8 K
# d/ h8 \/ I8 `3 K
8 i( Y$ V- P7 @4 d
Next method as well as the following one are 2 examples from Stone's w, R. x" w8 s1 Z1 c" x
"stn-wid.zip" (www.cracking.net):
) C- d/ U. g6 J; ]# H& M' @' P3 Z' c7 f' u5 A- e; g
mov bx, cs+ G( x5 U( d% C _$ U
lea dx, int41handler2
! h! G! d% {4 L xchg dx, es:[41h*4]* ?/ W9 ^6 R. M$ A
xchg bx, es:[41h*4+2]* P' C% h% E5 K0 @
mov ax,4fh. E. O+ k( Y. X
int 41h
' X5 Z) o; w% {4 Z8 E xchg dx, es:[41h*4]5 i$ p. G/ D1 E
xchg bx, es:[41h*4+2]7 j( `: K. L6 y1 u1 T% l
cmp ax, 0f386h0 U6 h3 ^ S" |
jz SoftICE_detected- F9 B" c+ e9 ^4 C( u
- Q3 z- X' ^; h" v+ U6 n: f
int41handler2 PROC5 D2 f/ W1 z0 t8 Z1 G( k& ]$ e
iret' b O* k9 ~7 m+ v0 D
int41handler2 ENDP
! G; c* {& D6 n' M a2 }& V
: g9 m6 V6 a/ Z+ ~" f, i& j8 p/ c0 r) Y1 e
_________________________________________________________________________
1 L& b3 S9 A( C# L8 i! l" A! U. K2 v) \* ]
9 t! w& [; B0 M, p2 P) Y/ c# W7 d
Method 06
# }4 L: W: p( _=========
, ] j3 C. ^& F- U- q& ?; G$ w2 K' }2 U! s# }7 ^
% E! Y0 i6 Z y, V H: r; _: [) }2nd method similar to the preceding one but more difficult to detect:( X$ g6 e- g8 ?' M$ T# ^
/ N1 V6 w! ^/ c2 I2 z7 M+ {) a) X H
" }( o: M: H0 L3 V# d+ f6 ?* hint41handler PROC
6 ]4 w" u; r) Q6 A+ Y" H1 b mov cl,al2 C4 R. N' R- v1 H
iret8 y. k2 q9 B" L2 W* M4 F) a& M
int41handler ENDP8 ^. B* k, [# g) w/ p1 J/ j5 N
% _! b' d, e; ^/ U" W) p0 o G Y( g d+ Q5 q# `1 t; i" x
xor ax,ax( C6 z& j& k- \6 T& E
mov es,ax+ E3 ?3 I: R: M+ }
mov bx, cs
5 i' T1 E# F8 b* u N lea dx, int41handler
0 \7 `! y; T D2 F7 j xchg dx, es:[41h*4]
; M* w- a; ^$ R+ z xchg bx, es:[41h*4+2]1 | G4 r6 v4 A+ u
in al, 40h2 p: l3 D4 ]9 W9 o
xor cx,cx5 B# F) L9 R; m& \/ S* ?9 }) X
int 41h, w# d2 X! H* e8 U1 |5 c( X/ ~/ ]
xchg dx, es:[41h*4]2 {8 ~0 N: N( j) d
xchg bx, es:[41h*4+2]( H) X; q( p& p- j3 J, j4 H k
cmp cl,al
* }/ g7 E( J* J' ]8 A/ ^ jnz SoftICE_detected
, j9 G4 L7 ^9 Q! T" @6 V
. B! N/ ^/ p: Q9 J" g! {_________________________________________________________________________6 G2 U1 J3 s# F
6 f7 e# e) p# k# ~' @
Method 07* N2 f, ^# h, g# C
=========
. a0 T; ~. ]2 M1 t7 n2 J# _
+ r$ G3 |/ U8 P; ?" a7 }Method of detection of the WinICE handler in the int68h (V86)8 N+ X" R. m. \6 w! t2 k, x
r# y- K1 J* K! l
mov ah,43h E$ Y. t; S- w! P' C: ~+ W* E7 n
int 68h& P6 V% A5 B" ]* K
cmp ax,0F386h5 z+ T# g8 @- S. h0 _# ^
jz SoftICE_Detected
( a3 B; W( y6 ?% [9 x' \8 H
. d+ i% t6 l; g% |4 @- t- s; Q/ r& N. r( |" J& q s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* r4 _/ N0 M5 ^& j% u app like this:+ U [5 P' b* C. B$ G
" @6 u9 A$ x% T+ `3 C3 G1 i
BPX exec_int if ax==689 O3 ~$ n' C, }5 @
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 y; {& u+ u: E _8 [5 |7 \) h located at [ebp+48h] for 32Bit apps)( R+ P3 u2 e% [7 R& \0 G8 W" O' [
__________________________________________________________________________
! \* [1 n4 e- C5 ] D& b6 t g/ E# P& E8 F/ D+ S8 T8 b% g
# d8 m4 t# O4 P# ~
Method 08' h+ t2 \; v8 E* N
=========( [% Z/ E: H2 A+ H ~- ^' O, c y
" D% w) Z" V- i/ ^1 M, s+ @9 O
It is not a method of detection of SoftICE but a possibility to crash the
: [' V3 [$ S f2 S% S }, nsystem by intercepting int 01h and int 03h and redirecting them to another
, z6 r- v: \* W1 D; uroutine.% X9 `2 v, Z2 l1 |1 }' d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ v! M6 Z0 Y( J/ o M5 ~7 I, b" h# B
to the new routine to execute (hangs computer...)
+ v7 b( E" L% b+ _5 ]+ i. K7 r: p6 e& Y' M9 \
mov ah, 25h- S4 P, ~" B! H5 l( n* _5 Y
mov al, Int_Number (01h or 03h)9 m1 K9 q+ n5 d$ t- D5 u+ u3 r
mov dx, offset New_Int_Routine+ b8 q' l; i7 \8 N9 M' j1 }
int 21h) B6 s0 u# h3 V# ~
! c% e0 Z" ^, W% F__________________________________________________________________________
5 K4 D5 P* k! Q. W0 ?% H. L' a% J4 n# B6 }2 x! e
Method 09
% ^% w+ j0 M7 B=========( L- f' _! o* h- N4 k8 i
: I, U$ G4 L$ \/ L# v+ |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- ~2 j1 ~0 ?+ T+ l; ^9 b) w
performed in ring0 (VxD or a ring3 app using the VxdCall).
. M0 C$ u# z0 c c( dThe Get_DDB service is used to determine whether or not a VxD is installed
+ C, G1 s O" K @3 p- vfor the specified device and returns a Device Description Block (in ecx) for
1 `- ^- U) |$ t4 [3 e8 Y m Zthat device if it is installed.
: ~9 b6 j# e# I% I; h0 y& e
9 Z5 y% a3 h7 a8 i1 ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! q! |2 X* v# d' @8 P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% R+ n% o9 U+ z8 L) ~# B
VMMCall Get_DDB, G: c8 _# g- B- Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 O( K& C' A$ d) k) x. x7 L5 @% v) _4 C; M) s5 U' B
Note as well that you can easily detect this method with SoftICE:# ]5 W7 B. v9 ^, @1 o
bpx Get_DDB if ax==0202 || ax==7a5fh3 ^- ]' ]7 t- Q) F1 V
: H- j# ~/ V* \/ Z4 D/ P+ M7 B__________________________________________________________________________# S. W1 C3 r/ \9 C9 E
& K; I; x8 l$ ?: \) X
Method 10
. I. X7 |4 |: U+ f% t0 Z=========
1 V- {- q' B0 @) y |
" `! F! h" H' u. Z8 x=>Disable or clear breakpoints before using this feature. DO NOT trace with j1 m* Q$ p5 t4 e3 @
SoftICE while the option is enable!!
! r* e' b1 r7 b" P* s5 T5 [1 F$ r6 R1 T+ l! v2 a8 @
This trick is very efficient:2 G) H! i" o, `: ?( v, T& K$ ~5 y7 E
by checking the Debug Registers, you can detect if SoftICE is loaded
0 C) B8 g3 w! S# R, v) B; B. W+ i(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' ^1 M! D U) S$ E4 G; f. u
there are some memory breakpoints set (dr0 to dr3) simply by reading their Y& p1 r+ N' v0 w O
value (in ring0 only). Values can be manipulated and or changed as well5 E9 ]. S5 [ L
(clearing BPMs for instance)1 @$ \( ^- V- v; l( a
) r' s ~8 e/ R
__________________________________________________________________________- K* R% g: ^% g) g- ~, J( \
0 Q H" g: p \/ C6 o, u; @Method 117 H5 Z& S. F" D
=========
0 }7 a1 I0 I2 h7 q% l7 T2 M) Y+ K7 n. J! X: P( p+ t1 P
This method is most known as 'MeltICE' because it has been freely distributed
% m3 v: g1 S& H/ i- Z" Fvia www.winfiles.com. However it was first used by NuMega people to allow
7 y( }& S" n! n8 e! ISymbol Loader to check if SoftICE was active or not (the code is located* k ~$ x7 ~7 h, \
inside nmtrans.dll).
% { h* ]* l; z) j# g3 K5 b3 S' N; d3 L& p
The way it works is very simple:1 V: \2 H Y, {: u$ z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: _* \7 ?6 p, j9 f6 s' P' C
WinNT) with the CreateFileA API.; d+ h2 D; C, L2 @
8 v5 o/ f: a5 ^/ s
Here is a sample (checking for 'SICE'):' c$ f U4 ]% G5 P1 v
* c9 n/ \3 k8 ^; OBOOL IsSoftIce95Loaded()( i2 H% G2 d, U
{$ R! P j& o4 B) l' \5 z
HANDLE hFile;
8 g6 n- j) L% n+ h: }* t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 g! h( ^& P2 a9 b6 [% }1 M7 h
FILE_SHARE_READ | FILE_SHARE_WRITE,
+ \# F/ L2 F- s4 v" G. ]7 X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: t. ?1 m6 r* \" J p9 i1 I- c if( hFile != INVALID_HANDLE_VALUE )& `7 U. T/ ~! J4 c2 K& b
{
( G9 E4 |3 b! [& F+ R CloseHandle(hFile);: V1 h) N) Z( r% @" w
return TRUE;
1 f: a. _6 o3 G/ R0 C5 N1 e3 O }
+ ?; d9 t: Z8 N return FALSE;
6 U' v0 D# Z5 g1 R}
1 V6 i) c" p* z2 z* K" r. Y: n) F8 \' j9 y+ ?, j+ ]$ Z* ^
Although this trick calls the CreateFileA function, don't even expect to be
6 t2 _2 I4 z( h, G2 V9 zable to intercept it by installing a IFS hook: it will not work, no way!& i2 a1 ^5 F% \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 X5 S8 B% [2 l4 [! o0 H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
k/ X- r/ o1 H) Rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" K4 Q. N( e7 I7 t: j" {1 h: H# ^field.
( ^/ ^' w( m$ [! B& ]In fact, its purpose is not to load/unload VxDs but only to send a 8 _5 M# v4 P3 {9 j- D( }, g2 R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( z# `1 q3 N# W+ n% ^+ E' f+ uto the VxD Control_Dispatch proc (how the hell a shareware soft could try' H$ V+ I8 C5 X
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: g% J' Q+ u* ]) L. a
If the VxD is loaded, it will always clear eax and the Carry flag to allow
4 X" P' D6 b0 ? a/ k2 nits handle to be opened and then, will be detected.4 P' v( p* }: n. |; m
You can check that simply by hooking Winice.exe control proc entry point; ~, j" V# o2 l! k D, f
while running MeltICE.
% f# N1 A; C ?
: k) E( a" u$ u- j$ r5 i- A, W: A: a' q7 ~& ~, n5 y
00401067: push 00402025 ; \\.\SICE/ w- W) L5 r, d8 A* m( t' @: E
0040106C: call CreateFileA
& d8 q x0 W6 d0 i4 b; ^" G 00401071: cmp eax,-0018 x' V: H$ \; F- p
00401074: je 00401091 V9 T# b& @. L# _& u4 S
* Q) R0 Q6 d$ U
8 l, N# d% A. RThere could be hundreds of BPX you could use to detect this trick." L2 a8 W9 k9 v3 p! D5 {/ q
-The most classical one is:2 _3 g" b1 ^8 x9 Q+ ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ a+ e: T2 W* u* r0 A# e' P2 ]# P *(esp->4+4)=='NTIC'4 N; Z9 n: v/ n$ g" @
5 J1 X, p+ y- [+ ~4 E( F5 ^
-The most exotic ones (could be very slooooow :-(
. @! C/ i H' X$ \5 w2 O* D* t BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" \: r# E# v3 k* R% i7 F. q) ? ;will break 3 times :-(
$ x8 }3 s6 w! Q" l7 u1 J7 i0 o8 }8 {/ w) [# y( ?
-or (a bit) faster: ! v4 a5 {' T* M3 t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 ^, |7 K$ K0 t+ f- P
" T y4 j, E$ r4 F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 L8 `" S2 Q; s* W7 E$ I. d
;will break 3 times :-(4 _: L! Z1 w% N c/ u; n4 _, t
8 v$ d$ D- @. W) t ?5 P/ f4 |-Much faster:
! D5 j' z7 v* h- x0 p9 w9 r9 g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 f9 N+ P7 [9 j$ e
# O, K3 s5 s6 _5 F: k8 e0 aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) p9 u, P3 G% N+ A) o* T9 bfunction to do the same job:. S% Q5 N" ]$ E2 m9 P7 e) h
, E* T4 x5 t* D- r push 00 ; OF_READ: u; B% }* F; P1 e( B: {
mov eax,[00656634] ; '\\.\SICE',0- O! G0 U/ n* q! s
push eax
- _4 i/ A) v3 n( S$ L' ? call KERNEL32!_lopen \" b5 A1 p- T8 k1 \$ N4 G
inc eax
7 G/ ^% g* U2 W/ G7 M9 ~' t jnz 00650589 ; detected
4 o4 i! L- i' j- V push 00 ; OF_READ
- j' |+ d! g9 \ mov eax,[00656638] ; '\\.\SICE'
+ ?; g# C% z0 ` w5 G) i$ Z* ] push eax7 ?8 \2 S" n' W3 h Z8 _7 j
call KERNEL32!_lopen, p% G! T& R7 [8 l+ y9 `3 i* P
inc eax9 V1 |3 i- _% }
jz 006505ae ; not detected
, K1 D( n' V: T5 N H/ \" C1 q, y1 ^6 J/ }+ f
d- x% {5 }6 J. t. E, q8 M__________________________________________________________________________
; X. Y) j0 q/ s; d& S; k$ Q, M* B; w0 n2 H% m& V* {6 i
Method 12' n& B5 Z/ y/ x+ |$ T9 R- o% `
=========
' X W& [. ?8 g. Z' @ R4 z2 E$ ]- p) T0 Y6 ^/ ]5 s3 x
This trick is similar to int41h/4fh Debugger installation check (code 05
5 u! o7 v+ z! l& 06) but very limited because it's only available for Win95/98 (not NT)
! r! h* @2 Q, U" O% T8 xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 Z1 R6 v8 c S2 {, |
8 I$ Q f/ z6 T& Z: \* ]+ o& o( Q
push 0000004fh ; function 4fh
J9 i& |9 e5 U- V2 [ push 002a002ah ; high word specifies which VxD (VWIN32)4 `+ L: L# v, ~' |+ P2 f
; low word specifies which service
/ I9 M% h7 i4 b% A- ~ (VWIN32_Int41Dispatch)" ]: f( ]6 `, c7 T. F
call Kernel32!ORD_001 ; VxdCall
% P" ^, ^4 x& @ S- l8 d' Q cmp ax, 0f386h ; magic number returned by system debuggers: K; k& m1 u0 k9 S+ m/ j
jz SoftICE_detected
( n; L3 S' C8 G- ?' [
! F6 O4 U1 f; B. X* X. ^- fHere again, several ways to detect it:& R1 E9 R, E; {2 E
5 d/ N* e! x& Y# D r! u BPINT 41 if ax==4f
# L/ S" N0 h' h! a4 F) `' e3 C. Y. z- b+ B
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& Q% |& v8 \% H0 t* c( b6 k8 K3 S4 j5 C$ a; I8 G) m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& e' V- c9 v9 s0 L
F9 y W- N* @- m M+ H3 x5 c- ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# B$ B4 |; k K8 h) J* p8 u8 P; |! Y3 Z/ X& T: f$ f; P7 D
__________________________________________________________________________) ]3 ^$ Q1 u0 Z( ^3 @$ r
3 A+ x+ r! I/ k; ]) RMethod 13
; W- T3 W. T6 f3 a4 F' I8 ]! ~=========
: `( P! x9 n( I4 h6 _ B5 _& X- N. Z7 h( R
Not a real method of detection, but a good way to know if SoftICE is
/ _' D. ~* r7 k! |1 Jinstalled on a computer and to locate its installation directory.
% r$ X4 l9 j; H# k LIt is used by few softs which access the following registry keys (usually #2) :
: Y% c5 d# ?: @9 v8 R) V9 G% \8 d" u. `, t4 y% e, D+ T6 _3 Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" Y3 V. i: J: E1 {\Uninstall\SoftICE
# f9 r7 z0 E- X1 c8 f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 l5 v1 t% `: Z( r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 W( }" ]' W9 V\App Paths\Loader32.Exe
+ Z9 b) _9 U; ~2 k3 s
6 y% T" \8 j9 \$ f8 _! E3 Y) `1 {+ O. o1 o
Note that some nasty apps could then erase all files from SoftICE directory
- _' Q1 D, B9 X/ Y" R4 z3 g(I faced that once :-(
5 z* p: X+ {) D" Z! O# Y% t2 j# P/ W5 q# {8 q" |- D5 W$ z7 V
Useful breakpoint to detect it:
! F3 \) ^2 p' S6 v- E9 ^$ |$ W" R2 l4 Q1 v4 U8 X @+ d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! o# @+ M2 j4 w9 }/ f: L/ I$ ^* a/ P; _+ W4 \
}# R- i# X: w
__________________________________________________________________________
3 l/ Z& U& a( O$ E: Q1 w f3 d- Y
g9 r6 u4 P. E, ]+ j U5 B6 \, B* m4 l2 Y
Method 14
/ D" {; X+ q! r; D1 M0 N" ]; W=========8 [0 F+ O% q* Y( c
9 h4 B% F% M4 x' d( B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& t! ^0 n0 a6 Y+ Sis to determines whether a debugger is running on your system (ring0 only).
: E! J" B; j; I0 A8 `( K' R4 g% V# w( F5 y; f
VMMCall Test_Debug_Installed
) N$ P9 L# M2 F K8 [: q je not_installed
9 ]* c" p- ?" E( `% ~2 X9 X+ E
4 k) U- p$ e0 _8 g" j( I& q* ^This service just checks a flag.- T0 T1 H: [3 T
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡