<TABLE width=500>; C, J* ~# J5 T m% ~" g& h
<TBODY>; ?# k. r+ d/ i
<TR>! k/ n: i# ~- P' F1 G7 Z9 m/ M
<TD><PRE>Method 01
- [" i* _4 `9 k4 s/ X( i2 R=========# y3 O7 O* v. Q" `0 Q0 D) Z7 e
5 ]% |& R& I- o4 m. C. n V
This method of detection of SoftICE (as well as the following one) is, ?% m5 E: j. D! S/ X4 r
used by the majority of packers/encryptors found on Internet.# N) x/ D1 |; H- T' o+ f4 ?6 p
It seeks the signature of BoundsChecker in SoftICE
8 q7 Y; s4 T6 [& y1 N0 l, X, N7 l d* A6 E5 W! u9 z& Y
mov ebp, 04243484Bh ; 'BCHK'8 c/ Z9 N3 \ O: h) g% e8 ^' y
mov ax, 04h
# J& x S ?1 y; p' w. |7 J+ A int 3 / \ f Y& x3 W; z' b! {
cmp al,4
5 y4 r9 H' L( b0 Q9 G( r/ e! S jnz SoftICE_Detected
% u1 t; u3 }: X% ]
" ^ B A* _: A6 h; v7 M0 @___________________________________________________________________________- G3 k) {0 U" ~
# [$ W2 |5 K# L9 a% d# t! }
Method 02
8 M# P9 S! F9 e9 I=========
+ q: ]- ?0 t& W- H/ P+ C$ U% Z0 f8 J
% R: X1 A: q0 V6 A, p2 ?Still a method very much used (perhaps the most frequent one). It is used" q( J; ~! M1 e" b8 A7 V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 J$ F X% n# U% K. {or execute SoftICE commands...
; t2 d- m9 S% I1 G9 j+ ?) R7 hIt is also used to crash SoftICE and to force it to execute any commands
5 b" D, Y A' g& Z( p3 x(HBOOT...) :-((
l& U& T& T9 |1 Z7 |( z5 R$ w Z4 p4 E: ?8 S
Here is a quick description:
b. S* r2 ^: K9 O) \- T-AX = 0910h (Display string in SIce windows) ]2 p* d% N) v3 ^) A$ y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" K# r4 b8 j4 V) k$ R4 r3 u
-AX = 0912h (Get breakpoint infos)
! U/ M0 t: ~0 t) \ _: l-AX = 0913h (Set Sice breakpoints)! p3 Z8 g( t) G: c3 U |# F
-AX = 0914h (Remove SIce breakoints)
: b9 }5 b: G5 }$ C, I, Q5 K$ i9 Y8 t3 m6 B$ d5 Z
Each time you'll meet this trick, you'll see:, x* ?% u+ k7 `5 m
-SI = 4647h
4 l5 Z$ m2 c+ Z-DI = 4A4Dh
* f) U( N H2 ~! ^; O( hWhich are the 'magic values' used by SoftIce.
7 |6 Y8 l x- U& Y6 {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 U( [: u! H7 u3 }
$ A" |- \! C2 v% THere is one example from the file "Haspinst.exe" which is the dongle HASP' r P$ f! N( l" z2 \* j. J# U
Envelope utility use to protect DOS applications:: z9 x! \# x6 a
2 a& p6 H1 I1 m5 @. D6 B5 C
b I; j$ r% A- |/ g* g4C19:0095 MOV AX,0911 ; execute command.4 v8 x5 c% } \4 h! E# S" B4 c: ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" f5 {( M: C$ w/ K. J* `3 e4C19:009A MOV SI,4647 ; 1st magic value.
1 A$ _: r ]! W# ]1 x! E4C19:009D MOV DI,4A4D ; 2nd magic value.; E) K+ u b- e' D2 R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. T& q4 H' U( }, e/ S: ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ @ ]8 G* L' }. u# ?4 K4C19:00A4 INC CX2 F7 z. C e2 T( D8 F4 [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
n4 x( `7 D+ x( O+ n! h" P* y4C19:00A8 JB 0095 ; 6 different commands.1 X& F, `( q4 Y: ]9 Y- C4 ?" x/ e9 |
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 ^" E8 f! b/ I4 [# a8 N; o- J& m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# B" m* g- j& T! X# r& n
& W/ u1 W; T: l! U# H& X# k
The program will execute 6 different SIce commands located at ds:dx, which y! _ H6 I( r9 q' t( |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' B$ V x" \/ }) P
" |* ^- O* A; A' Z7 M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, _0 h5 |4 |8 j9 F# s) v___________________________________________________________________________" w' x- e' \9 ?: o& }% j
8 M8 i( r* f! g* V' G
% ~) g6 @8 n- }Method 03
: \- y) G) p( F$ N6 n' @$ U1 T=========3 O" \2 q. h0 `5 b
. b0 G8 b! q {5 Z9 q+ l
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* B! p/ a. D- \ W% E& d# b
(API Get entry point)
: b) G% ?0 j# A D3 T
5 @% x/ Z2 \6 I. u* U& q0 z p2 ~* C
xor di,di
6 p9 _- b! \4 g' R- j. \0 |, y mov es,di* K! R2 z7 T$ U: R& {; a
mov ax, 1684h
' R+ d" \) c* M. v$ a& } mov bx, 0202h ; VxD ID of winice4 L0 S7 Z; j; J/ n/ y+ t0 n2 t
int 2Fh
$ I: G5 ?' l" a" t; B; G mov ax, es ; ES:DI -> VxD API entry point) t2 S) P5 V7 _0 s- I+ j1 D
add ax, di
9 I" g: `5 A, s- o' d! S$ ` test ax,ax
; t, [ L( X6 C5 h9 E5 H4 Y+ x jnz SoftICE_Detected
) d9 H H$ K9 `: r( I1 l4 F- H+ M/ y: k; r% Z4 }9 E5 ?
___________________________________________________________________________
4 F6 ?% Y. g) G- N4 L% r0 {
# m: |+ U/ j' c# N4 ?' JMethod 04 b" A+ l7 i; m8 c8 q
=========
6 Y: M4 A" O+ `
* p. _' k- _1 D$ Z! ~, U6 fMethod identical to the preceding one except that it seeks the ID of SoftICE
5 _& S- t; a& [+ |+ g vGFX VxD.
, }4 _9 [) c: S' j
; a9 z$ f1 w4 T5 H2 u xor di,di
8 H3 T5 I9 y$ g/ U mov es,di p8 x# z* ^) a
mov ax, 1684h
/ M+ @, u9 J4 r4 F5 R mov bx, 7a5Fh ; VxD ID of SIWVID
3 K9 N) `+ q5 Y$ k5 h" _ _1 y int 2fh
& I. Y1 ?! _: P3 f mov ax, es ; ES:DI -> VxD API entry point
0 N2 m; q/ R1 k4 N add ax, di
?" p( \* g6 w test ax,ax
/ k6 r# M: `8 u5 ^" [ jnz SoftICE_Detected9 i( E$ P7 d4 L9 W) \0 L
. i5 J1 w3 K/ C0 I5 W
__________________________________________________________________________; b) U: ^7 C0 q% U( p6 B0 |
* Z4 `2 D8 D* y8 h2 T! M# t' {7 p
4 x$ s0 s# v9 g; Q. [3 HMethod 05
9 S- X. Y: K' L9 j=========
* r3 ~5 }: c/ g, c$ [6 Q( V2 B
" p' V3 q; g5 v) ~# P* K+ OMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 ]) E. L1 ]# v! D7 h8 S( S
debugger. It calls the int 41h, function 4Fh.1 b7 C7 L. ?$ m% d! \
There are several alternatives.
# e, l# R% A) a" D+ G2 l& a+ e$ b7 I# ^8 l- y& Y
The following one is the simplest:
. b5 |1 M. \/ B
, a1 }. h" K3 r$ F7 g8 K: a( G K8 k mov ax,4fh
2 m5 T$ s; t* o$ X' C2 G int 41h
- w" z7 ~* `2 S5 z. U4 Y' ]3 Z9 m cmp ax, 0F386
0 X3 p2 W) w4 a. E6 H) S jz SoftICE_detected
) a4 L. }; T; @- A, a: K; ?
0 F4 M( N# |/ K! u) I( x: g+ U$ @& k+ x* t+ Q
Next method as well as the following one are 2 examples from Stone's
6 Z1 _+ _! ], u, r# k% ], O"stn-wid.zip" (www.cracking.net):& s& g4 W2 o; { e0 g w% D( H0 X
3 `: M; v# W5 r mov bx, cs& ]9 m- P/ c3 C1 |
lea dx, int41handler2+ u, Q5 `( M2 Q6 ]
xchg dx, es:[41h*4]
- y, ?, Y: |' I* ?/ E4 W xchg bx, es:[41h*4+2]# d9 [8 s5 \7 }8 n. U
mov ax,4fh% u; k+ }" O8 U) ^2 K( t$ r
int 41h+ j$ A3 o$ O' H' @. q
xchg dx, es:[41h*4]( ]8 ?; i* i* z' Z
xchg bx, es:[41h*4+2]
' J, {- t$ J* e$ g5 ? cmp ax, 0f386h
8 Y( {0 l: A' w jz SoftICE_detected9 r2 y; h: A7 v% d
9 }9 ~* H5 G- d7 ~' s
int41handler2 PROC# }' g3 |4 ^! U# g+ Z' u# y
iret
% Y: f7 e3 Q6 M9 Z, Rint41handler2 ENDP
, F& Y8 w" o% M' M7 M
$ ~. b) R( e" x5 W# v( o5 M# C5 U: T; T( o) B; }
_________________________________________________________________________" f( }8 _9 w6 T9 z& s0 i
?6 O' G/ f g" M6 i/ r4 ^7 m) g
) ~& ?# ^9 u7 A8 C, y. @
Method 06- A/ g) S0 ~ q* m
=========7 D' ]+ ~- e. ?( I, j3 n
' ]4 \; ~( B% b( e& g# [9 W. _+ s$ |1 ?. y* k, {: m# a
2nd method similar to the preceding one but more difficult to detect:
. y, W* h5 m( g: }1 u& [2 R+ P# J3 m
0 c5 M, } R* D" fint41handler PROC8 H5 [6 j" K, ?0 C0 r6 G* }
mov cl,al
) j. b/ Z. A5 n7 x/ s" k4 X iret# B: S/ y M( g( |" ]
int41handler ENDP
$ M: r5 _& X' V, E* V6 }0 ^; O1 Y; U, c6 _7 I( T& g
/ m$ z: U4 [$ i u
xor ax,ax, l( L/ ?' `1 Z) J
mov es,ax$ I/ m. f5 r. v, O# F0 d. o+ |0 m
mov bx, cs. w7 X+ |( C. n) P( p- e) r: Z
lea dx, int41handler9 G% {' X- j! t3 k
xchg dx, es:[41h*4]
+ J1 t! e$ p9 J" v xchg bx, es:[41h*4+2]
& E' ?7 ^0 Q! x, n, S; v, s in al, 40h
: m1 c2 V, K/ r; Q xor cx,cx7 |' B0 h$ Q3 g/ v& j, M
int 41h( O# `, Z" i* c4 m t
xchg dx, es:[41h*4]
- ^% K# [+ v/ W5 N3 w; f( M xchg bx, es:[41h*4+2]2 R( S$ a& ?5 N% ?. L4 X" T) h
cmp cl,al
2 b! G6 h8 s2 w( b" f4 `9 Y. F3 d jnz SoftICE_detected
, B' r. X* s$ I1 q& _ d
1 }' m1 o" S# v_________________________________________________________________________
/ k9 [4 v& `: }4 o1 o8 x( Z& ^+ y6 x. U* G% Y" A7 O% D; b
Method 07* D [% U9 r- m- Y6 g
=========
/ k5 `. H, Y1 i. l+ r! X
& ^, I/ T) |5 |! M2 Y0 T& O0 aMethod of detection of the WinICE handler in the int68h (V86)) B5 d! ]) A" W7 a: A8 u
/ c8 w$ w! j9 o r O mov ah,43h
6 a% _5 x( {5 T% d2 ` int 68h
y0 Z) Q3 J+ _" a- e' D7 X cmp ax,0F386h
& }7 _6 F! [1 W$ A8 c' b jz SoftICE_Detected5 Z0 P; P5 L$ p. O7 H
& W7 [: B0 y2 [% {( R8 l2 B' z* f' i3 u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% ~' g% q1 [. d( d3 _( r# | app like this:% R4 s) m" |1 d* M* R
T; P' i; w- x
BPX exec_int if ax==688 ]; j1 J+ c7 S3 D
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ x8 j& l" x; W# _& o( R/ q3 k) z located at [ebp+48h] for 32Bit apps)
( }: }# l0 r" m& y* Q K" a# M__________________________________________________________________________4 a( o/ n3 p" ]' t& m
# k! {% m4 o2 H* D( t0 ~) S9 e9 E! J2 v3 J
Method 087 f6 }. \1 Q$ F' D
=========# v3 z' c, f9 y- J% Y" m
$ T$ l; b4 @# I. ]; oIt is not a method of detection of SoftICE but a possibility to crash the
# \5 F& L- P/ E2 A% V" J9 Psystem by intercepting int 01h and int 03h and redirecting them to another
. T8 A1 x1 ^) g# h/ Troutine.
) e3 @9 C$ e: K" W2 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* H4 j# }6 {4 kto the new routine to execute (hangs computer...)
( j9 s! I0 S! Q
& j o) }$ G, r9 p t mov ah, 25h. X5 C1 o8 }, _3 I8 ~3 n
mov al, Int_Number (01h or 03h)* {/ `9 T9 j/ R7 I
mov dx, offset New_Int_Routine5 L1 a8 X! ^" u. O
int 21h
2 O7 S* X) X1 T, P. p
# R6 A$ ?6 J& M' I, p__________________________________________________________________________& x& S+ |. m1 C* B- W, c& }; q
& E" \6 V4 A" R8 u7 d# E
Method 09
6 f; f0 N- ^5 Y: m0 n! l=========
s/ e4 {5 T7 S# D
# w' [) L' N! h- ] L0 rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# @$ K" `: r4 u3 |1 R9 u6 N
performed in ring0 (VxD or a ring3 app using the VxdCall).8 q7 z( u2 l* A- h: C1 A9 s( [0 }( g
The Get_DDB service is used to determine whether or not a VxD is installed
% Z- |& y$ ^% E) J5 O4 afor the specified device and returns a Device Description Block (in ecx) for K( q) X% M5 D; t: A
that device if it is installed.
, A }6 ~* ?; A1 O) U: e; Z9 }- P8 ^( F9 \$ o& L+ Q9 E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) j4 W9 y- W$ E: @% a& T+ B$ Q; }& {
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) v8 H& S* Q* r( _9 ~$ L VMMCall Get_DDB" c# e, |4 `2 h6 R* m3 U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 \' U! {" ^2 p: ]- a; O# Y5 ~! A0 N! A0 C2 O0 h- \
Note as well that you can easily detect this method with SoftICE:
; t! {, E0 ^$ \% P R bpx Get_DDB if ax==0202 || ax==7a5fh
: r* U A0 U1 X. \% b# r8 d$ g
- z3 e1 l. G6 E5 d* t% |" u q__________________________________________________________________________; K1 v" E; F4 o: t! q
0 P, R: T1 V& j6 [: T7 p V
Method 103 |/ e* d8 u9 I% Y# q4 c% [
=========
3 Y( }, `1 n# D7 D" R
2 r% I& v$ z( k! C=>Disable or clear breakpoints before using this feature. DO NOT trace with
* ]# y; z }2 q% Q0 |3 x SoftICE while the option is enable!! }( H% b& Z$ g( m
8 L8 i* l7 {: }% n7 TThis trick is very efficient:4 Y- y5 J0 w% l5 D; U* `
by checking the Debug Registers, you can detect if SoftICE is loaded
3 p, \3 D5 a/ l$ P3 g# c' G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% ^1 R/ G; S' P, u6 h
there are some memory breakpoints set (dr0 to dr3) simply by reading their* X- n2 J h ^# `) Y' i. g
value (in ring0 only). Values can be manipulated and or changed as well
2 W. a: S* `" T5 Y. S/ D0 ~; _, _(clearing BPMs for instance)( Y, u% N) l b0 ~
T O' t. K2 v+ N5 O- ]
__________________________________________________________________________
) ^2 d' c+ Z7 F8 I/ o$ o. W! p2 w0 _( c8 Y. m
Method 115 Z0 ^9 y7 H. x) W8 }) u
=========
" R( v' b* \. U0 l9 C) d9 W, U, E2 }
This method is most known as 'MeltICE' because it has been freely distributed8 A2 c/ A+ |% Z6 x/ ~, Q. w" q
via www.winfiles.com. However it was first used by NuMega people to allow
" l8 s, n* p- U" B" @8 M3 JSymbol Loader to check if SoftICE was active or not (the code is located
1 ^3 L3 z% C, X [* w! jinside nmtrans.dll).
9 G# `! E% q. r1 j' S% u: w9 ]5 P9 S5 o' m
The way it works is very simple:
" L0 b' H# L# d/ Y$ MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 b" A U7 p+ q; S( sWinNT) with the CreateFileA API.4 x1 o) }+ l7 i$ ~
/ h. E& M8 |7 K" ?8 K9 XHere is a sample (checking for 'SICE'):- v$ ]! _) h2 B7 C
9 b# P5 x" d* M. O* b
BOOL IsSoftIce95Loaded()
" Q2 j; N: G7 d, }0 X' q! I& N{+ {) o! W$ j" v8 [. U5 j
HANDLE hFile;
0 d+ r4 T5 a# X" M. k( L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, K! w) B6 W* P0 S9 X# \ FILE_SHARE_READ | FILE_SHARE_WRITE,
9 |3 _& Q" C' y, f1 j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 Z' F- U) J% S% X" \% v if( hFile != INVALID_HANDLE_VALUE )# z2 Q$ Z" p; o% V `$ I: K
{8 i. Q( J( n$ K# h( R9 H
CloseHandle(hFile);% l1 X3 ^( C) ^7 e/ a4 B1 @
return TRUE;: e+ O# w! d8 y8 C) b" f
}
5 j* | @2 ~. a6 ~6 Z l' F( W$ i8 I return FALSE;
- Y( u) ?5 z7 ~5 a* Z' X! G9 a( F# J}
; t1 e8 l& Q5 F3 I" t' F$ b: D* H* Z+ K/ N0 _
Although this trick calls the CreateFileA function, don't even expect to be
9 z7 G# _8 J" A& G$ Eable to intercept it by installing a IFS hook: it will not work, no way!
+ t9 U9 J' Y# y* y7 mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F8 y! W3 ~. i6 M R7 a& u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* H: f2 K3 l% u3 H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! H* Y& S" J. M* Ofield.7 O1 Z4 A! P/ u0 ~7 U# W
In fact, its purpose is not to load/unload VxDs but only to send a
" s* u+ b" ~! Y: gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 t9 X. D" `4 N5 p6 z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 Y7 U* h- I3 Y5 C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' N/ }: T' J$ _* n* q8 w
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 z& o {( e, F. h: v4 `$ m7 s' l( Pits handle to be opened and then, will be detected.- z1 Y! s: |$ j, |" R m2 J/ w1 l. n9 b
You can check that simply by hooking Winice.exe control proc entry point+ U/ R; w% E+ w y
while running MeltICE.
- y; f3 ]* K6 d) x( f# C; e+ H
5 q; d8 t E1 S) d! [( w& U7 C* J# L
9 D _( ~$ T1 W4 W 00401067: push 00402025 ; \\.\SICE: R( ]) X$ \( u# K, M9 y6 u
0040106C: call CreateFileA
* n: G4 C% _5 W# a% I6 H* ~ 00401071: cmp eax,-001/ V) E( _: \0 z6 M4 V
00401074: je 00401091, j( x; G: V% ~7 `: m
' X" S4 W7 d, Y3 ], |5 M
# W; s, }" W f; `There could be hundreds of BPX you could use to detect this trick.6 m) ]' e7 H( B- T) b1 o/ a& L
-The most classical one is:; K R+ r6 ]! O' K+ V
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 v. |' D% m% L F8 c *(esp->4+4)=='NTIC'
" @6 ?; }7 k" j; L! g& J2 h: @0 ~5 p% U3 S" U% |
-The most exotic ones (could be very slooooow :-(* U4 F: j0 j' q/ w b9 w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , f _8 j$ h9 I+ D7 ?9 }+ u7 z
;will break 3 times :-(
O% i6 R9 O# @- i* T
* n- Q1 z/ r4 @$ q2 d-or (a bit) faster:
4 B0 @ y) C. p+ j5 q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 l4 ~1 h% j& T( x. X5 L' H/ E" I: _7 j6 G& L. e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " U3 ~( @, k" J+ i
;will break 3 times :-(
" @- i+ u) S9 k% U0 M. m6 C! V0 Y0 A$ R) N/ X. M1 K& j2 b3 C1 D* s+ H
-Much faster:
& Z' A% ^: J$ I, E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 P) a M3 j; l+ T- q& D8 x; `( H' S% q, [; h% I2 }
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- U$ y, W4 K( x0 a: e7 ?: }5 s
function to do the same job:
# S R* _5 G; e$ ]; {- T, ^0 P' _' \( f* t/ |- `7 P) {3 V
push 00 ; OF_READ8 t" D" [# T3 B1 k4 l; m+ G
mov eax,[00656634] ; '\\.\SICE',0
% v# O' f. h( Z3 Y push eax) l5 [' ^, f2 [9 r6 V9 Y
call KERNEL32!_lopen
1 r% @) y/ \# K. o, N: ~2 J- f inc eax) r" ^/ t a5 i( G$ U! a$ t
jnz 00650589 ; detected8 D1 A" @5 I5 Y$ Y1 Q+ r6 r( t
push 00 ; OF_READ
0 i6 l# ^9 W! Q mov eax,[00656638] ; '\\.\SICE'9 Y. {; t/ Z& F- R4 X W
push eax
. ~' l2 t/ `, f call KERNEL32!_lopen. O# t, z# d3 \. j
inc eax5 Q: t& R- R9 G
jz 006505ae ; not detected
" H: J$ a# t, }5 U/ `' c! p$ c% T
' \7 A. K+ H5 D8 _/ k" C/ H
' M8 m* T8 t& m% o8 a5 C1 T5 @, r__________________________________________________________________________- r# \4 H8 E' |) ?8 {0 ^4 { Z
9 s* n: V0 m! d$ P
Method 129 S$ r; }* s: |: _2 y w z& w5 h: v
=========
- Q0 I3 n# ?' U1 Z) }/ F4 y
$ O5 Z8 n9 }9 |2 }6 _+ m) JThis trick is similar to int41h/4fh Debugger installation check (code 05
% W4 \$ ~3 \# }7 S! W) _1 Z& 06) but very limited because it's only available for Win95/98 (not NT)% S$ p6 e8 o5 z9 s1 [, {2 A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& [' q: w0 ~0 h% l) s, b3 W
9 {" _5 V) Q; ~ push 0000004fh ; function 4fh
% d9 C- A) [( K. u push 002a002ah ; high word specifies which VxD (VWIN32)
2 k& U- c6 W, W1 } W* s ; low word specifies which service
* x7 v/ j" j2 M6 `8 H- N$ W (VWIN32_Int41Dispatch)
" R8 c0 [6 y5 e! Q l) s5 O call Kernel32!ORD_001 ; VxdCall X w: @4 g2 {, \# @5 I1 k
cmp ax, 0f386h ; magic number returned by system debuggers
" Y4 w7 d5 n! L0 W jz SoftICE_detected( B6 E0 M* _) D% }% ^5 M) V
" R( ~* \! y! k" k) ]
Here again, several ways to detect it:
/ e" Q: U# P) g+ `, j6 A
6 f, N+ L/ |/ ^4 F! R% B, @; U BPINT 41 if ax==4f: I; {% @1 u* M% ?
$ C9 b+ r) \. M7 X7 e5 y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& d) E- N6 @ M- C
0 Z g/ D* L% z" E9 ~2 Z6 ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 i2 L O& U; X+ L5 Y
( g& O. ]" f, A& @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 i# C: o" U8 }: A; w) @: _- ]5 P
! r5 `9 J g* A( U7 F' H__________________________________________________________________________% T1 I' X) Q0 l
6 i2 F: ^* H" ~ `, I" Z' |Method 13# J% s1 v1 S: {( c# x- _
=========, c. V. \2 [3 y" k, }# C# p
9 e2 o M h8 y' R: f* ZNot a real method of detection, but a good way to know if SoftICE is
- F# j+ a* O! \/ c% H, Winstalled on a computer and to locate its installation directory.
- I. J; a) u/ D _+ d% yIt is used by few softs which access the following registry keys (usually #2) : @% B$ B" j; G u X' p
8 j+ y( J' O6 K, B6 L! F- |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 }, }' l& e1 A" E" z( Z, ^\Uninstall\SoftICE
4 D. t$ k: [8 z) h" @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 `/ D2 n; \: r: l/ y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& }$ o% ?$ k/ e, j# h9 \& q
\App Paths\Loader32.Exe
- |+ S. |8 ^1 w( W
! |5 b5 h7 k9 d# H4 U5 B7 Y' v- e* P! g6 k [* [0 ?/ K' W2 a
Note that some nasty apps could then erase all files from SoftICE directory
& q* f6 [% h8 j4 A7 `(I faced that once :-($ d6 @9 _9 U% [7 s) V/ ` v6 t" W( O
) E5 ` \6 C# a4 m2 j1 bUseful breakpoint to detect it:
2 e5 @, C6 G: x9 |' {
! t h8 q% i. v+ w BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ B- @ C! M! Y; G d! u' m8 V* @0 j* ?
: q- ^, Y# R- ]$ ]# z9 S
__________________________________________________________________________
! D0 r/ i/ O' P% l+ I$ A- r& ?' ]0 |! v8 f2 V9 A' T3 W
- j3 i+ g0 q a3 d) pMethod 14
' G- ?' W9 ~7 _- O: L=========: i( H: n' ]) s) h
( y% C* \& e$ n4 MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 Y8 Y' ~/ \9 Gis to determines whether a debugger is running on your system (ring0 only)./ A9 \: h; G. Z( }+ S* g2 c& B& J+ [
5 X7 g- X' A# I0 k0 S. Y3 \ VMMCall Test_Debug_Installed4 R2 L' \# O5 V$ Q" g% d) |) y
je not_installed( F& {+ w6 m7 e% h" D
/ ?3 @6 |4 J! U3 }# S9 l
This service just checks a flag.: b4 ~/ n/ Q% v. T% A
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡