<TABLE width=500>
7 F" X4 _" s3 }% b) c$ T L# \7 O$ t<TBODY>
/ Q5 Q' _+ v- P* h7 R% r<TR>. C# s5 u. ^# r
<TD><PRE>Method 01
9 V' l; [5 v# @2 E! ]=========8 X4 e- j! n* l! o
. u6 d) `6 e; M' Y: F( v! { h6 nThis method of detection of SoftICE (as well as the following one) is, b) J7 j0 z/ N* Y; i
used by the majority of packers/encryptors found on Internet.
0 H- n2 D7 |) `! {0 T) LIt seeks the signature of BoundsChecker in SoftICE. [9 n! ] }6 W3 B; `
6 I+ f4 f" P) b
mov ebp, 04243484Bh ; 'BCHK'
$ \. }% P; B- A! ^8 b) T T" [ mov ax, 04h
; z. R! V, K1 s int 3
0 K1 }- \- w+ V, y/ v cmp al,4" s8 T: L' b5 L9 y
jnz SoftICE_Detected
# J( z3 R. x9 b
5 [" W7 }5 n7 o( m___________________________________________________________________________" G& o, U& k, n+ X3 a) V
6 H1 B' Z6 Q3 Y0 y
Method 02
. O$ ~ g, j6 g* v) g: R=========1 @ i) s) I ^ H5 m. E( J' ^$ g
: C- h7 L; B6 o3 g
Still a method very much used (perhaps the most frequent one). It is used. {8 O3 m8 r9 c" F+ q I3 V7 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ H: N x+ Q0 r; o9 ?& Xor execute SoftICE commands...
% h% I" b( j2 U/ I! {/ U. W1 V* u' T( }It is also used to crash SoftICE and to force it to execute any commands- t! \6 @) `5 Q8 L4 P/ i0 c( ?
(HBOOT...) :-(( + _5 O1 T5 ?2 ]0 y) V
- E9 V+ {+ f8 `4 y+ M# xHere is a quick description:7 L9 l' n5 Z2 N. Y: ^. F
-AX = 0910h (Display string in SIce windows)$ Z5 B. o; E8 f i3 `! k
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! I W4 U( u- X0 `& n% |
-AX = 0912h (Get breakpoint infos)
- o: Q7 N0 G& \* r( l- C-AX = 0913h (Set Sice breakpoints)
6 E4 j- h3 ~5 Z: x% |/ G-AX = 0914h (Remove SIce breakoints)
# G1 L! p6 p' L; N; ?! y. w
4 R7 b! V7 M `0 X: l @; i, n; ~Each time you'll meet this trick, you'll see:
$ M1 E/ }- ~' ?6 A-SI = 4647h
) H* _& e& d" y _0 w-DI = 4A4Dh
/ T# o; e3 x, E- Q3 B" c/ }9 pWhich are the 'magic values' used by SoftIce. i, e/ T# ^' J! P2 N2 {' t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 q7 O6 O: F. x2 ^* o7 a
) c& k! `' q' s
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 ^5 A; w7 F1 Q4 SEnvelope utility use to protect DOS applications:6 O1 Y8 ?9 y' c5 _3 v& `. U5 i
3 ]0 X! L0 d9 [
' G" b( I7 X5 w5 \( ~, B4C19:0095 MOV AX,0911 ; execute command.
7 m& k: M4 a% f, k7 [9 O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 B: J5 l! v/ w4 F( ~! e
4C19:009A MOV SI,4647 ; 1st magic value.
9 Y1 g6 J; V& ]- W5 c4C19:009D MOV DI,4A4D ; 2nd magic value.8 p* w2 S, Y* O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- l7 c& B6 P+ j6 Q" Z( D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 N$ k+ I3 i: r2 q
4C19:00A4 INC CX
( M- Y2 {9 ]/ ~, w$ ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* S$ k8 t) F# ?& E1 G/ O4C19:00A8 JB 0095 ; 6 different commands.
+ V3 o' D! T7 H) z# l4 d7 i. G4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ S' d5 @' [- Q& W8 n' Y! D3 g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; Q/ s% [+ I! l7 K. B
, t. \( @4 l/ }9 B. o4 pThe program will execute 6 different SIce commands located at ds:dx, which
3 r B* \0 r, i3 [' q0 X# [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- A3 z, ^* W1 b9 f
( f, w, b- y9 E0 g, G" G* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 U; }0 |$ \7 F o9 X. M9 m+ S, {___________________________________________________________________________% c2 A" Y0 g9 k6 T2 R
6 l& |" K Y1 B% N, S3 R' G2 k1 I( M" F2 n3 Y! d0 V6 t" ^+ B7 Y
Method 03
/ y- E! T3 l. s3 L; p0 W8 t* k=========
/ S6 l4 ?$ d+ w+ h. E2 |+ C4 t4 H2 J3 Y9 I
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 M4 e1 [5 L0 h' A/ u5 r(API Get entry point)- _* x7 u/ g$ N+ ?* k3 v" f
8 P" [, c) N6 l+ l, H
9 J1 O: P; T' W M+ e4 P xor di,di1 N. E2 c! L* M& d1 D
mov es,di
. C2 z- r1 W6 }/ b) z mov ax, 1684h ) U$ C3 V9 Y% C- t8 ]) T4 X
mov bx, 0202h ; VxD ID of winice- P C) ]' p7 x1 V: n- {- B
int 2Fh6 h3 G; J/ f, v) H4 u
mov ax, es ; ES:DI -> VxD API entry point
. ^5 _3 e- W0 `6 c, Q x5 S9 c+ l add ax, di
: {9 }- A# a6 O% l+ }, G" b test ax,ax5 ]0 @4 Z1 G# u% V2 k
jnz SoftICE_Detected p* F" d: Y% Q# v
" L% k [7 r3 [: M1 K) K___________________________________________________________________________
; ?" f7 {, y% s& z, [5 Q1 p
) H0 Q. T9 _7 Y/ dMethod 04; G7 c) ^+ n$ e
=========
/ ?* ~! h6 Y* v0 E4 R- L0 R+ l" B) B& _! `# \- r
Method identical to the preceding one except that it seeks the ID of SoftICE$ s, O2 g/ w5 J: q4 a
GFX VxD.
1 L+ L7 E2 y, e+ C7 M3 @
. |) O" H! v( e( F5 S8 a/ \% F xor di,di
/ \1 f# A8 ~% L7 o! m+ ~1 j0 A mov es,di
8 G8 C5 F& r0 I+ l mov ax, 1684h # ?8 i) C; v( ~6 p5 @8 K
mov bx, 7a5Fh ; VxD ID of SIWVID
( a+ [2 T. ?5 k int 2fh7 B) T/ f0 U3 L( Y- h1 [
mov ax, es ; ES:DI -> VxD API entry point* Q$ w% u# q4 [- S; Y( u7 T
add ax, di
/ ?* r& }% y( Z7 D# }' Y test ax,ax
$ E Z8 H: @ u0 L2 Y: ~ jnz SoftICE_Detected) R5 T, b) i- X% {( Q" {& {, {
% L; { U, {0 V3 v
__________________________________________________________________________
4 W1 a% f* {( J0 X/ ~; S0 b. c2 H/ B& p3 n8 ^4 N! O5 Y
$ b0 J0 ~& F; Q4 A2 ~7 C6 l) u
Method 05
4 ]. b/ X; G, ~$ |9 J) {=========
f9 _3 R, M& m8 O/ w, D4 v+ w) l. W& x5 D/ u H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; `4 I1 d. O9 H5 W7 ^( i+ J0 e- }debugger. It calls the int 41h, function 4Fh.
0 ?' H f! @9 f( B8 v2 JThere are several alternatives. a5 b4 p, a% ^$ s$ j
% v) L" ?- g0 I+ e" c% r7 EThe following one is the simplest:
0 b' y% K" Q' w4 E
! b# n+ X: I, G+ U; I( c0 O mov ax,4fh" o% \8 [# R% S
int 41h
- D5 { n9 d' t/ h cmp ax, 0F386
8 Q# o" u4 P% g) C& F0 U jz SoftICE_detected
) c. G# _* ~# @& S8 d6 b' Q
1 V6 P* ~- {, v3 ?
: X0 P) ?) b% T2 Z6 \: q2 L! ~/ |Next method as well as the following one are 2 examples from Stone's
5 r$ a" \$ `5 R# t% q. f( r"stn-wid.zip" (www.cracking.net):/ S k( Z- |* d. ?7 Q$ T7 L
% A: a) l& K0 G3 _! W1 C! w mov bx, cs5 H1 L6 m/ @: _( [+ P0 w
lea dx, int41handler2
/ }) E/ \( y# O, s xchg dx, es:[41h*4]2 T* a+ `' @7 Y
xchg bx, es:[41h*4+2]
* }. ~3 ]- \4 U. e4 e# Q( G3 X mov ax,4fh
0 R* X3 q1 F v0 M7 j O int 41h
( w5 L5 t Y' O& k xchg dx, es:[41h*4]" G' {! S( ^$ d' m- ^
xchg bx, es:[41h*4+2]
5 t- u( S: S4 \+ { cmp ax, 0f386h
4 q% s3 F% W) b" k# U6 n jz SoftICE_detected
- J5 g% v# ~" ~( E |7 z3 e) R- Y6 F
# T( _4 m1 X% U+ Fint41handler2 PROC
1 C0 C0 I8 \- C& T iret
7 P( S* o5 |$ q8 e7 H' `6 [7 Uint41handler2 ENDP# [1 |$ f& N3 N" j. p3 J2 ]
+ U0 G2 a# G3 T0 T
: g& q( e0 L8 ^$ V) x
_________________________________________________________________________
6 o/ W3 `' g. H7 Q4 ?( P
* z4 c, _9 t* x' T0 B( H0 `/ G2 A
1 t; Q& `4 I2 S0 m- _% zMethod 06 X7 D% `' r; e: M2 x5 s0 I6 {
=========
+ F q! H: Q, O" x# C1 @) o! E9 l- T" X# A; g0 {
5 H* L9 w9 O* g1 ?
2nd method similar to the preceding one but more difficult to detect:) L! H8 w9 M# e1 ^1 `$ n- j2 H9 p
6 R% R0 s5 Q9 U
4 y5 B8 r, ^" h! O7 d' t
int41handler PROC, Z7 X" q# Z5 H
mov cl,al$ v! E2 q. q/ [# ?
iret7 y0 w* N$ I0 ]7 ]' }# O) N- P
int41handler ENDP0 Z/ @* Q$ g; B# |
) f1 l; i) b4 ?9 L
4 {6 R4 `; P9 f% I xor ax,ax
8 v u8 B! I& A1 m mov es,ax S7 u! ?8 }' U% B8 |5 T8 s
mov bx, cs& @$ _! b! i' r. i
lea dx, int41handler1 a* S* b+ ~& M' J# u
xchg dx, es:[41h*4]
8 g# c0 f' m, k7 _' z, w) C7 V2 l5 S xchg bx, es:[41h*4+2]4 J6 E! C# r0 ~0 f( z) d7 p
in al, 40h( G. Y H5 d( V/ B2 N0 z
xor cx,cx
+ Y$ P( \9 P# G6 N int 41h5 k6 l; H% U, m3 v L
xchg dx, es:[41h*4]
/ K8 T$ k) m7 _ ?: t# R( o xchg bx, es:[41h*4+2]5 [- T8 I/ x- V
cmp cl,al
1 z& T% P- @. ` jnz SoftICE_detected
+ ?( b/ @& M7 Y4 E9 L$ w0 e5 l! M
7 b7 Q' A. g) a9 v. w_________________________________________________________________________7 |! @% p3 j. U" \% K0 x( r0 q
\9 t& \/ U3 M! g0 b9 U- t9 s3 y# O1 Q
Method 07
# W0 I/ X/ l% j) w1 ~=========4 C+ F$ v2 u# {3 U
8 _, @& `* d1 w* ]0 XMethod of detection of the WinICE handler in the int68h (V86)8 F3 y( ^5 l4 j; k
/ s' m4 X" T/ a- A6 E mov ah,43h9 Z9 W5 v: ^/ f' o- A$ I6 b
int 68h5 q3 B2 z# `1 O: b* D4 h
cmp ax,0F386h
& r* s2 u0 T2 ~9 s7 ^6 S jz SoftICE_Detected
; I2 C, X! |4 C1 E: G9 E) }+ M" |& k" I$ L* v4 K2 |- p, r
0 ?/ \+ u$ X B, L# N+ F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! ]8 Q7 G [2 e app like this:" o- P* a, {8 Q; C; b. N. [! v
6 s$ r9 ? a9 H- C# d8 b
BPX exec_int if ax==68$ L! T/ D( _/ v; G
(function called is located at byte ptr [ebp+1Dh] and client eip is) m% \* q4 {; w$ S3 Q
located at [ebp+48h] for 32Bit apps)
, m8 I Z1 }$ T ^8 e__________________________________________________________________________
e! [: @8 b" E# W" h5 j, R) O
. U$ h- G/ r d w) I% u8 E2 t2 G3 q C+ `5 W
Method 08/ S. K$ |1 N' w3 `" x( l
=========
* _+ u: R) W0 H/ c( D- n. U* z% o7 A' c& j% P% I$ R* G& O
It is not a method of detection of SoftICE but a possibility to crash the; y6 I! P& T/ {
system by intercepting int 01h and int 03h and redirecting them to another
# L t j6 [/ z: `9 F! H8 eroutine.
0 l, A7 f' _) q! _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ b( d. h) b f9 x9 H( X
to the new routine to execute (hangs computer...)
( d8 F0 d* V( B7 D, r. v0 F: Q+ @; q5 P0 j H4 d* U
mov ah, 25h% N' ]. o8 ^4 S: g4 K7 U( U
mov al, Int_Number (01h or 03h)
4 D7 M5 h' o" Z3 B; ` mov dx, offset New_Int_Routine
: [" i+ q, `2 S0 y% p2 { int 21h4 f! O5 @4 b' c$ G1 {& g- M$ q
( b7 @# K& ]6 D__________________________________________________________________________$ k- V T T! G3 M) q
6 [9 ]4 }, h' \5 L+ f1 yMethod 09
. S9 _0 d# z( ]" g& K6 k=========
) f" h1 T* {! \ n5 V3 c# z
; O+ h# j( Y0 M2 d9 k4 w7 ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( h: C/ [7 A* @. j4 f9 lperformed in ring0 (VxD or a ring3 app using the VxdCall).
; Y( V/ ~& ~$ ?+ z3 c# RThe Get_DDB service is used to determine whether or not a VxD is installed$ R3 Z2 l( \/ \/ \- q
for the specified device and returns a Device Description Block (in ecx) for l0 q2 _4 q5 O6 R/ \' x0 u
that device if it is installed.
/ _1 ?/ V: M2 @. a% A
' W: G* d; N8 ]7 B$ X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) T; I: Z) p! V# x( D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ i0 k# {. C! r. j1 B; N VMMCall Get_DDB5 ~% V/ q! q8 {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) g% v2 ^ g1 `/ ~6 L( C% S& l
Note as well that you can easily detect this method with SoftICE:
2 H1 {6 M" p; E3 e6 H# c0 p bpx Get_DDB if ax==0202 || ax==7a5fh
6 n5 C( j$ H' b* G, [- l- n3 d; }- H
__________________________________________________________________________' q/ S! N& d* q( Y
2 Z! q5 L% G/ S) ~9 u
Method 10 i) D0 v5 o p% b) x
=========8 V* `: v5 M0 u& b6 ?
+ S4 _! |) q/ V3 a
=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ o: S! i' \4 D) F5 \7 a% ^+ a+ B/ y SoftICE while the option is enable!!1 j# I! b8 y. K% h7 J8 S
* \; o U6 u0 z8 j, N8 @- c
This trick is very efficient:( {6 m2 N' l9 w7 r
by checking the Debug Registers, you can detect if SoftICE is loaded8 j& V) o( G: v, p& p, r
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% k/ @- t' ^; y7 [; Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 p# d' V5 K# J% d; i4 Cvalue (in ring0 only). Values can be manipulated and or changed as well
; k, p6 m2 d. f0 y6 l(clearing BPMs for instance)
+ ?- I C+ r, Q6 a( K) x4 {+ b0 L4 q* h" n4 `
__________________________________________________________________________
& a4 \( B6 f8 q3 n4 B. K5 K. r) P# X+ x+ {" f( R% ]
Method 11
9 f5 X- k( s5 N6 n# O/ H" ~=========
, p# Z3 _& N* I: W: z/ R
) D5 v4 g, l; ~" F- dThis method is most known as 'MeltICE' because it has been freely distributed) J( m" j2 q2 V: m: r
via www.winfiles.com. However it was first used by NuMega people to allow# n2 t: f+ ~5 T/ a* I+ H* W( M
Symbol Loader to check if SoftICE was active or not (the code is located# l) O; ^* T* l0 O% I6 t; i
inside nmtrans.dll).
a# `$ V. Y/ ^1 q7 y0 E
0 I4 V7 [. v" @9 y" E6 TThe way it works is very simple:8 T2 m5 P8 T* ^8 ~1 ?4 G7 A% H1 d4 s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) n7 q3 S# N/ y8 v3 K- u# \
WinNT) with the CreateFileA API.5 m* Y i" M5 p: F' w. O# }! a b
% _5 j y/ |5 z
Here is a sample (checking for 'SICE'):
7 z0 t5 k D6 P: K( Y: E1 L0 i* Q. w C# \
BOOL IsSoftIce95Loaded()4 l) W, H+ A# d0 X3 `3 k
{, Y! X5 O& z1 D( Z
HANDLE hFile;
4 p0 g i/ l' h8 M4 i hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ I/ \2 U. ?5 L( j FILE_SHARE_READ | FILE_SHARE_WRITE,9 Z6 P! T; X8 r" r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( N; L- L1 Z5 F. ^5 C. a if( hFile != INVALID_HANDLE_VALUE )
: a) _; I! m* I6 M {1 j+ g/ p! n2 ^6 h+ ^! Y
CloseHandle(hFile);* d7 N' j& D4 e$ z9 p. x
return TRUE;
. x8 `4 g9 l# U: Z+ ^ f }/ Y$ n$ O5 c- i9 W
return FALSE; a4 S$ e/ A/ a% x. p+ E
}% e% n3 l" ^' W; I* V
7 U! S/ o! K% y" I* v7 O0 FAlthough this trick calls the CreateFileA function, don't even expect to be
k- ]3 Q% X4 Dable to intercept it by installing a IFS hook: it will not work, no way!
+ v- n7 f( E$ m' ~/ s; P' wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, [; Y0 a% i, [" q3 \, R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ e# x0 I! ^( ]4 N6 D( Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc' m3 N* k/ P' \1 I, d5 V0 u% T
field.
, ?5 m4 X# @- YIn fact, its purpose is not to load/unload VxDs but only to send a
3 N' n; q; W$ C8 nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- R' Y, W0 [- v0 |to the VxD Control_Dispatch proc (how the hell a shareware soft could try% Q, X4 y" [1 b; u, o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 Z& ^1 |6 R. _! _. r8 q/ b
If the VxD is loaded, it will always clear eax and the Carry flag to allow- A! R5 N% H3 f6 P
its handle to be opened and then, will be detected.
# |3 I& X$ O; m! MYou can check that simply by hooking Winice.exe control proc entry point
' W7 s' Y" R, L c; G# C8 m0 Wwhile running MeltICE./ o& m; x) }# Q( B! S$ O0 P6 f, O: p
6 l3 b% h4 M9 O- A$ s) O
" u0 c4 n5 w& |. d: c- j 00401067: push 00402025 ; \\.\SICE8 K# z- s; f) |. s7 K
0040106C: call CreateFileA! i7 ?$ c+ h' i
00401071: cmp eax,-0017 d5 V* p* j) ]# d# `
00401074: je 004010916 T- R4 b; c+ ^7 `% F
6 t M# l. p1 x$ F$ V& m/ {
1 P4 I" t3 K- N9 R7 {There could be hundreds of BPX you could use to detect this trick.- c( }! V+ f# w! _1 D" v6 j
-The most classical one is:1 p; J0 V0 {- I1 Y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' Z( h2 l' z9 k. M2 G6 i( m" k' }
*(esp->4+4)=='NTIC') U: W5 V/ c' I. a; |& J; H3 m
) k; V# I; N9 i2 W+ k: w ~$ L1 L-The most exotic ones (could be very slooooow :-(# q1 n) Y! w0 ^, o/ r8 h+ F+ j8 N8 _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ K9 G* V- S X
;will break 3 times :-(
* U& p+ j2 L* { f Q) W! k
1 ]- g, \7 R# A2 Y-or (a bit) faster:
4 J' n3 Y. Z8 z0 K) v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! p1 R$ u4 B; a
/ _* D) Y+ n- H' a. a5 \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& T! s' D' m. N; i# X0 b ;will break 3 times :-(
1 E, e' n8 M& @8 j
! j+ y: k5 J& F3 O; F1 w-Much faster:
9 {* k! C8 x, ]7 \1 c' q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': V, v" P, ^9 U' X$ e0 `
3 M" I7 h2 P- x4 jNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: m& p8 T) {; f, s3 {2 @& S: ^
function to do the same job:) }) J8 C: }" X F" S' w1 _
6 y. R, e1 m2 _ w& p6 ^1 E' c( w5 ?
push 00 ; OF_READ
1 J9 g# U- U. ~# Y+ ? mov eax,[00656634] ; '\\.\SICE',08 W4 A8 a y! S* g5 l, s) U6 k
push eax
! z7 M4 e& a1 H2 v2 {1 L call KERNEL32!_lopen7 B. B, W9 u1 n. O
inc eax# ^4 D9 s8 x6 i. i
jnz 00650589 ; detected
0 f; y" e. t+ O { J. ^ push 00 ; OF_READ
' p7 `% L! z( q6 f0 K( a# R: K) @ mov eax,[00656638] ; '\\.\SICE'
" a4 w: J5 Y$ ?$ j9 z- u. o$ Z& |0 ` push eax
% Y3 u# Q5 O4 N2 V( I call KERNEL32!_lopen
8 W7 g; e5 W8 J% t- F inc eax
; J6 V! g" `6 D1 s jz 006505ae ; not detected0 U' {( j& s) s1 ?. C7 L: W( [- X! b$ w! l
, y7 s" {3 X1 L- R
' U) T& t- t2 T( ]" y& u3 G
__________________________________________________________________________) q6 v$ E& V+ N7 N8 U3 G
: b+ M1 P# p6 \6 F! c; M7 Z' V# p
Method 12
9 p, R! h1 h% w% |6 c=========# h7 c4 E0 E. x" a, Q' o; b2 Y5 H5 u
! u, B1 `) d8 pThis trick is similar to int41h/4fh Debugger installation check (code 05 I6 C' X8 ?5 X2 A' u3 l
& 06) but very limited because it's only available for Win95/98 (not NT); l% L, ]1 e; f1 Z& x1 c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* L# W" S' g* }
9 H& G$ `4 o" ]
push 0000004fh ; function 4fh
2 d/ c) ]% ^$ O0 C% M push 002a002ah ; high word specifies which VxD (VWIN32)) Z/ [. B) O3 c0 V# Y
; low word specifies which service& D! t7 k& R$ \( n9 t
(VWIN32_Int41Dispatch)
% b% o+ Y7 ?2 u0 M- F) Y call Kernel32!ORD_001 ; VxdCall
) N9 w) z: D% V$ v+ Z& j& P. x cmp ax, 0f386h ; magic number returned by system debuggers
+ A& n' K" y7 U" ^# w; Z jz SoftICE_detected! ^6 i) {1 t7 n3 S0 X8 V
) J4 P" ?- Z; c! u+ r) _, Q
Here again, several ways to detect it:
, ?" e6 T& G1 ^- `' W! W2 h0 a+ l& C3 S3 ?0 Z# U! i
BPINT 41 if ax==4f2 ?, F/ D; D, Q0 C! |' A5 B
% K2 P: y- [* @4 X9 \, _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" F9 V' X6 ?0 i# o- n& J
# P4 |; W5 B- i4 p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ `* f* i$ l1 }+ T' k& d: n
6 r Y+ L+ j1 }' x) x5 D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# o0 n) l0 e! E* S2 ~5 Y. T, _
( C$ ~' W; c/ q; w) T
__________________________________________________________________________
9 w1 B1 y8 o1 p
% |2 u- V: M1 L) e0 tMethod 13( W2 h/ t- z6 e! d1 R2 B$ V8 N
=========( A( p3 N! }' d. \1 k# Y5 e
3 V( N; L' I) g+ P9 V6 @
Not a real method of detection, but a good way to know if SoftICE is" C* k* E+ L: a$ ^. \0 u
installed on a computer and to locate its installation directory.! m" y' q) h' `5 e/ I- H* |$ I" [
It is used by few softs which access the following registry keys (usually #2) :
) n/ p9 }- E+ C: x. @
; |$ R5 o& x$ n1 u8 _0 G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' Z" u8 M2 z- k5 f5 }4 U9 `3 Y3 p\Uninstall\SoftICE
$ I) o$ a# S# C7 r9 t; l/ W1 ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 d0 ~4 c; a7 W9 }) w# P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 o5 K1 \/ P# a/ ]- u+ w) Y
\App Paths\Loader32.Exe5 b: { b9 A8 H8 B: J* M
& j" f1 v' H |. D1 ?2 J: {/ r4 F; k/ z' `$ ?
Note that some nasty apps could then erase all files from SoftICE directory
* G+ `2 T2 p6 X, B. a4 o9 ?+ A(I faced that once :-(7 ~ ~" x! i0 k) W% b
/ y0 I! D6 C2 C2 M3 Y
Useful breakpoint to detect it:$ L4 D$ U4 c4 \/ [. S0 L5 v0 \& }5 n
2 C$ ?+ I) }; ~1 v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* D% ]) x2 ]4 V/ j6 V* s
: w$ {/ Z; ]* W/ _, W
__________________________________________________________________________
1 j( M: b' n* x5 Q6 j& o+ W+ I/ B) \' V k! j3 U. `
* N, b: d2 [1 |% a YMethod 14
) M3 c* K& D' C. \$ s& \=========. u$ J. N. t, W6 M
1 ?; T9 a" k7 U! ?/ |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) H1 I; d0 P# ?! I# T6 Wis to determines whether a debugger is running on your system (ring0 only).
! w( C; @; H8 g. v8 t
2 g3 r+ x) Y/ D6 u VMMCall Test_Debug_Installed; ?/ D" V% T1 z1 L4 x4 c
je not_installed
: c6 W* d( c. c" U- G# c6 r# j w, A5 u+ s3 u) u( F* w
This service just checks a flag.. G6 D ~0 H2 [) p# H" h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡