<TABLE width=500>
% m4 K, G3 t- t0 D) Z( \) f& I<TBODY>
; f0 U- T+ p# `: }* e<TR>& h* V/ o5 k1 L4 k( Z/ D+ g! |/ |
<TD><PRE>Method 01
0 g( K+ E2 \) n7 g/ B=========0 g& T( S& c: d% _/ V X% k
% m" C3 ^5 _: F$ e8 e
This method of detection of SoftICE (as well as the following one) is, U2 c5 p* V6 H
used by the majority of packers/encryptors found on Internet.0 j* n/ ?5 J3 E, ?7 S. ?" z
It seeks the signature of BoundsChecker in SoftICE# j0 c' H& h+ n& }
2 R. m& k, ^- b1 u4 G
mov ebp, 04243484Bh ; 'BCHK'' p5 H1 p1 H$ F* y0 L( Q/ \
mov ax, 04h) h; o2 G& ]- a
int 3 + P1 S1 k- s! y) Q
cmp al,4
1 F' f# Q& l5 v1 ?. Q1 H jnz SoftICE_Detected- z, f1 C2 K' A# k+ `4 y" N
6 {* v( m4 o- w) @2 Y' {___________________________________________________________________________
E, k% h6 ^; M8 F: M( \7 [) y+ g1 q- K, q- [% M* i
Method 02. c: V$ R0 L" A7 l1 H
=========
2 F. e' n' N" G: D7 O5 y& O" {- ~8 p* `( k' ]' @& i3 j
Still a method very much used (perhaps the most frequent one). It is used
* \2 e- J5 E6 E# Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,; \3 b; U7 Y- z9 o3 K; ?* J3 E% ~
or execute SoftICE commands...
. w) V/ m. @4 K- |2 AIt is also used to crash SoftICE and to force it to execute any commands
7 e/ v# h/ F/ l1 Q# [* D(HBOOT...) :-((
' f/ x! i* q4 E+ [) S: d. w/ y) r! s1 M, K& W! y; Z; T3 t
Here is a quick description:
; g2 |/ m7 g9 [# H-AX = 0910h (Display string in SIce windows)4 w/ u- P( q! ]/ B! ]$ i+ Y6 v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 ] f7 o9 S- M/ U5 S2 x, W-AX = 0912h (Get breakpoint infos)# R2 f) F+ b& j& D ]5 i
-AX = 0913h (Set Sice breakpoints)/ t. m* }. a( F0 C, }
-AX = 0914h (Remove SIce breakoints)
8 w+ p, ?0 V- }) K: q" t' H& t2 r+ R3 M6 K1 o4 b9 F
Each time you'll meet this trick, you'll see:
1 o% w+ o3 Q* @0 d9 E8 s5 i1 u-SI = 4647h
$ a9 k* s5 o4 I7 E# k& s q" u-DI = 4A4Dh
2 d+ O% O' Y" h2 eWhich are the 'magic values' used by SoftIce.% B8 ^& v$ U/ S+ i, a! l$ Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 r: n* k' C9 G0 T0 r
) v+ c% W% o$ o7 d8 KHere is one example from the file "Haspinst.exe" which is the dongle HASP8 D, x8 V x! s. o$ j9 y5 }8 p
Envelope utility use to protect DOS applications:
$ g; i2 A( n4 W! n0 l5 |+ P* @" |) s' N4 `& _3 j, Z" o
0 k* S p5 B& l8 u5 [5 I4C19:0095 MOV AX,0911 ; execute command.$ y2 K3 }& C j3 b) v" L! J
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: M K8 g2 H& @, `9 @7 j
4C19:009A MOV SI,4647 ; 1st magic value.1 u" n* r- n2 A( [# \3 I! k
4C19:009D MOV DI,4A4D ; 2nd magic value.& h, q1 D* w/ C9 W% W
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: V+ a; l, H) n% f1 \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! }2 q5 N0 S$ V( V$ s$ ?5 t3 \' c
4C19:00A4 INC CX
1 B6 T3 d( n) N; H" c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) E" ]0 C! O k z
4C19:00A8 JB 0095 ; 6 different commands.
- p1 b. h; {6 r# p4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 s/ _4 C0 i, p7 L' O$ ~8 ?% R
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 h5 `- P: j! g
: H: j+ u+ V" p- @2 `- Y; ]( Z
The program will execute 6 different SIce commands located at ds:dx, which% O; @( K. h+ v! \& \$ E' B/ U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 l/ O5 p6 C/ u7 f6 h' u
! a4 d1 @# X" S8 F; q7 i$ e) o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 Y i! m H ]: z/ f. J
___________________________________________________________________________
) ?) e5 \. z! {) {) u o5 X( F k. d; e" d* s4 N& h# x
" |( j. o5 v0 B5 h% L5 kMethod 03
; F# y A+ e: X4 O X3 g5 i. g=========
* A, b' I! C# W. r9 U: M
2 H9 y* c3 F FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# I1 r1 K7 k5 V9 L(API Get entry point)7 q" L1 R' x+ n% S
; g( y$ R9 x1 f4 U
9 x6 h( |- @$ x# |) R* }6 p xor di,di
/ p! J, Y! A+ f9 j+ W( }* [ mov es,di+ O3 o( P/ Z w1 Z+ G
mov ax, 1684h
1 u" }8 _ C" s& M! I% F mov bx, 0202h ; VxD ID of winice
/ r* n" S7 U9 N; j% v6 Q7 L# C int 2Fh5 y; O6 P1 d1 g. \
mov ax, es ; ES:DI -> VxD API entry point& Z8 ?) q* g* i: B' ^& A
add ax, di
) V6 d* ]: I5 v( D9 ]: x test ax,ax
/ |0 L/ ^' a: M- E- F) y; x jnz SoftICE_Detected1 _. `/ v8 o- |( ~4 h# i
/ o( ^; H& O" K t___________________________________________________________________________& k2 }& E+ k" B/ P
3 `6 [9 S! K$ W( i4 f' VMethod 049 I% p! ~+ u; |/ o1 V! ]* c
=========2 q( H6 F! t% s0 I, |7 ?7 ^: ^
. n6 S3 i9 R; d, HMethod identical to the preceding one except that it seeks the ID of SoftICE+ d! F5 p( |2 L' |) m9 |
GFX VxD.; v) W$ o9 {3 s! u, K) Z
$ o4 w9 F5 \- S: K5 b+ I xor di,di
0 `) e U: C( Z, ] mov es,di
% H& z8 C" z3 P h9 X mov ax, 1684h
7 a; `& m+ T W1 {0 ^4 \1 I7 u mov bx, 7a5Fh ; VxD ID of SIWVID, H8 N2 y( n( J
int 2fh
4 s0 {- q7 U2 l/ U4 J' ], O mov ax, es ; ES:DI -> VxD API entry point
8 S2 } T( I+ o" D( B add ax, di2 _7 i& Y9 \: y9 q- k$ _4 y
test ax,ax
5 z5 b2 H4 u. E) Q* Q; W1 V jnz SoftICE_Detected
. i' n2 x% t1 T [, O- a& n
% V3 k7 @+ r. q__________________________________________________________________________# H' G; }) {8 P* }
: V1 s% `: F' k6 h! }' Z( y1 N
) @: b$ c7 [, u- G) r' q, A8 q2 z4 OMethod 05
, Z6 i2 e0 n- p0 S! E=========3 s+ o$ C g) h( Q6 \
; n2 S( x9 I- k
Method seeking the 'magic number' 0F386h returned (in ax) by all system- B6 {7 B( U' z! r/ k
debugger. It calls the int 41h, function 4Fh.' {. ]9 b" w4 q* q. E1 k8 @ X1 z
There are several alternatives. " |# J3 B3 ]/ \! A+ ^
3 A' L% V( p% K8 I" GThe following one is the simplest: [# {8 |1 H; V5 O! i
& |. d" ~2 a4 w( o
mov ax,4fh
4 t8 F* n: a) E9 O [5 c% V int 41h
. Q! M9 P/ R& N$ _# {* A0 J cmp ax, 0F386
1 F6 R+ P) I+ v5 C: [ jz SoftICE_detected
- f7 i# u r S4 {) `
( L$ z4 t* p* E/ }+ l* ^7 m' F. o
Next method as well as the following one are 2 examples from Stone's
" {8 Q& r2 g3 v) X5 }"stn-wid.zip" (www.cracking.net):
; M2 y$ z! u0 `; Z# ~0 g; S% n$ C
$ R: m% U& W8 X mov bx, cs' M3 o [+ c# s
lea dx, int41handler2
. U" G/ j8 {8 d& A xchg dx, es:[41h*4]
) q& E* i+ i" d7 e xchg bx, es:[41h*4+2]7 s( S" w* _2 R# E( F
mov ax,4fh0 j/ U' s' U7 Z% m2 ?1 a
int 41h* _6 g2 B( d, U
xchg dx, es:[41h*4]9 ~: @+ T s! I8 b1 q3 y/ [
xchg bx, es:[41h*4+2]
6 z' c/ J7 c' e4 N6 C/ {9 b& N( u: O cmp ax, 0f386h1 V1 u1 m$ z% O+ P+ |" \
jz SoftICE_detected
6 o) P E. P8 S, }; i& A# h- f8 } `% _
/ m/ _% K% d! n* ]2 mint41handler2 PROC
; e; q+ k0 K8 F& V9 w9 G8 @% y iret
: n6 Y# H# ? D. K0 M! M, mint41handler2 ENDP9 n: q' h3 ^. K
) b6 c0 V5 E* w% m
+ K; d+ G" A S; R2 r+ Q3 m
_________________________________________________________________________
: I$ K% R1 [) E
. M' o+ A* m+ v; [* _
0 o' a% E( g" r; V7 u. XMethod 06
# w( c2 ^# U9 }( _, g9 G=========
) T7 P% O' f8 t/ F; {. E8 a( `6 j0 F. z# g& n% z' a5 u
0 x3 S) j; l. \% B/ ^1 b; u2nd method similar to the preceding one but more difficult to detect:2 w# _/ w" W- y0 C! ?
o' }2 }' D4 w, p* Q) S0 Y8 P- D, M; [- ]. |# H( E: n; w) b: H
int41handler PROC
# T6 L0 x) i3 `9 ^$ g/ U' T mov cl,al7 m7 V! \# U) @3 l. U
iret
: O/ q. ~& j) I, A8 Y( _/ Kint41handler ENDP- V x' ~" Z. N2 M! s( j% S6 j
% J% ^" v; o0 M/ Q, |
, H L0 b5 m9 o3 } `& u( A* U xor ax,ax [7 e; }, y( d* c( j% y* z, l
mov es,ax# t) z6 W. X# m8 A9 k
mov bx, cs! S4 k7 C$ c& s8 ]. B' V
lea dx, int41handler) I% _) d# N* {
xchg dx, es:[41h*4]) p5 t$ l5 e. x7 ^5 D* Q8 B7 G
xchg bx, es:[41h*4+2]
* n$ H' C! ?" w7 C E" N5 T/ K3 F in al, 40h& ?1 E: b1 \) o* `) \3 L
xor cx,cx
" U0 z7 Z" `6 x+ u3 s9 u' ^% H' V int 41h
' H1 s7 @1 A0 |5 s. \5 Q! N xchg dx, es:[41h*4]
7 E2 C d1 Y& p xchg bx, es:[41h*4+2]
% Q! {' F0 p+ j, ~4 P+ M cmp cl,al& r# S2 W8 Z' x9 J, ]
jnz SoftICE_detected
% u7 K5 t# f+ w1 R. b* v- Z! D
( ~$ |/ x/ N) I* h0 S_________________________________________________________________________
7 m& Q: ]' C! R8 G8 w6 E2 h& E7 `, O& O9 g3 f8 Z; `- T4 `
Method 07/ U; z! G9 C! R8 q4 Z# U
=========
& ]9 ?' h0 V* t j( J8 b/ W; p% N9 R) U0 |
Method of detection of the WinICE handler in the int68h (V86)
, f' L$ D5 i- Q( g( o. D8 p2 b* s; |+ L' r* x- W7 k/ P. B& S( ?! H
mov ah,43h/ t3 i4 Z& p( L: D* R
int 68h0 O6 ^; _5 E" D: \
cmp ax,0F386h2 G5 J/ e, W/ l% Y; R
jz SoftICE_Detected0 \! i: s. D% e
5 \6 u6 Q( e: A# ~8 u" @
" _, |" @# T/ H2 u- h$ W6 I: C=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 l* l( z! ^% w4 s1 \' b- n app like this:
: P8 b F/ J! j9 J0 u/ _
7 ]' Y. n4 x6 _# H BPX exec_int if ax==68
- J( s( i$ N: H* {$ T (function called is located at byte ptr [ebp+1Dh] and client eip is8 h: P, o$ s: t! G8 e- c# ~# r
located at [ebp+48h] for 32Bit apps)
8 N! z! Y9 u/ y5 l6 }__________________________________________________________________________
8 R, p5 L% q; K8 g& s
( n$ h/ ~; F2 W& J! R& w4 F
" l( n* p# J! Q) W& @Method 08
( u2 S. h- f% \0 o=========
9 N# {8 ]. ~- P. c: f; b
8 H1 f) c2 I- ~. qIt is not a method of detection of SoftICE but a possibility to crash the3 ^' q% `$ e& o6 q) _" Y
system by intercepting int 01h and int 03h and redirecting them to another
2 T0 [) r& ^ J' jroutine.
$ @% e( w& ~1 j7 V$ Y! V7 N: s4 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 a5 H' Y+ V& R1 q
to the new routine to execute (hangs computer...)+ ?. h* ] |+ `: w3 r
& Y- ]$ g' `2 a" E4 h+ q mov ah, 25h
% y o5 N# J- T7 a* U mov al, Int_Number (01h or 03h)+ ~6 l+ y! |+ U" @4 P6 w
mov dx, offset New_Int_Routine
$ k* G! `) @, B, G int 21h. j0 w8 a2 l+ s" S9 q
' J- z! E8 S: G& ~% k, k0 m
__________________________________________________________________________
" M" s! X% e; d" [ V
6 G; C9 x. D- X [ ?. {Method 09
2 Y7 j( }" `2 a4 G- B( G=========2 |0 `4 C/ d& V& D
( L; u6 z8 K: Q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) X) x t; c/ i5 {& O# p6 K8 @performed in ring0 (VxD or a ring3 app using the VxdCall).3 {% u( t0 M, O2 L# c) k
The Get_DDB service is used to determine whether or not a VxD is installed
4 K% Q- E( \: |: E8 tfor the specified device and returns a Device Description Block (in ecx) for
8 t- X$ g0 Z! S; V- j: g2 D, @that device if it is installed.
0 N; ^1 m" U6 f# ?
& [8 d/ C, I3 ?6 v; B( z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! y+ ?# {% D3 M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# v% b1 J7 f! I. {( _ VMMCall Get_DDB3 t' |+ F/ r, l: W- [: R& M
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 Z; s9 _- [8 m6 ~! B
& ~/ s: ]0 J: K" h/ v
Note as well that you can easily detect this method with SoftICE:
; Z& C# k+ w4 U! m$ r4 B7 g0 w) O bpx Get_DDB if ax==0202 || ax==7a5fh
4 p9 ~( }4 C* E5 y J. o" ]' w7 T7 m7 k
__________________________________________________________________________
* G# Z3 z; U* p0 R) q, h' u# _1 e" Q8 s; d
Method 10# `% `% q2 r0 Q% ]1 ~3 c
=========
" \, Z/ w% H4 a2 D" s, s) S R( i9 v
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- f0 @: F( z, [3 o SoftICE while the option is enable!!8 j7 ]6 P- O" m4 p! p
( j% R* i* ?3 u/ ~+ [This trick is very efficient:
. R1 U4 v5 O- u& o0 g" Lby checking the Debug Registers, you can detect if SoftICE is loaded
' ~6 l5 v8 k) a2 K6 U# H6 x, f6 L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 \4 b- W4 o' J! _: G6 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 U7 Z8 ?- \) fvalue (in ring0 only). Values can be manipulated and or changed as well' I5 U2 r; S+ x. [: ^9 {( m
(clearing BPMs for instance)
2 ?8 }# D" S( d6 z( [) U7 x6 N# y- O! G8 g! v
__________________________________________________________________________
{6 t9 N. |- R' z
9 n1 n+ H$ H6 gMethod 11
2 X; L' f! ]! O: f6 o3 U2 O=========
) x+ Q* z3 j3 t3 N1 m! z: d! \ \
This method is most known as 'MeltICE' because it has been freely distributed
) t6 ^: Q0 S1 mvia www.winfiles.com. However it was first used by NuMega people to allow
' d0 p' L4 y6 R2 R8 W& ^5 g1 xSymbol Loader to check if SoftICE was active or not (the code is located N/ ]& S1 N& e) R2 x
inside nmtrans.dll).% c8 c! b$ {6 l( ?( A" L/ a8 H8 t$ s
: C5 n; Z( u8 R9 K/ g0 H9 j3 E
The way it works is very simple:; R! m% u% F" `* T) b6 s9 S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 h8 ]5 h% P0 H. P) A2 V8 d
WinNT) with the CreateFileA API.
9 b! D& _. k( |" m$ J; Z6 j( G' H% V L+ V
Here is a sample (checking for 'SICE'):
, v& e3 D0 ?% \& o; }) O8 }1 T; y: b* g, Q- T
BOOL IsSoftIce95Loaded()
U' |4 ^! d }- {/ C! f{
4 |+ R# K: ]- u7 R7 w! ?2 U HANDLE hFile; 1 C; c- v# b( e" x; h: m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 i3 x" T6 x+ r FILE_SHARE_READ | FILE_SHARE_WRITE,- |5 ]# _+ O5 j# f# \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" |/ K+ r! ~( |( G. n if( hFile != INVALID_HANDLE_VALUE )
. \0 [3 t/ \* F* l& E# ` {
0 o$ u8 _. J* o0 o3 V* } CloseHandle(hFile);
" H' q" {" |# u/ A/ m: K& I return TRUE;
, G9 o; u6 H) F& Y; T6 V/ F$ R }9 R+ S: i0 k7 P; f- c
return FALSE;% b# D0 G7 _+ F7 q/ h- O; O$ `8 T
}4 \/ h9 Q2 t4 t
2 ?$ _$ ~) N) m+ `) V7 ^
Although this trick calls the CreateFileA function, don't even expect to be
. {, Z |! S! k' y+ Q4 ]9 \able to intercept it by installing a IFS hook: it will not work, no way!2 { |9 V/ U' f8 p& O- S6 g! _5 w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; n7 ~% S( D1 W0 V: d# g5 a% v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! ]) B7 B) a- a( K) _% pand then browse the DDB list until it find the VxD and its DDB_Control_Proc' ?4 Q7 d3 _8 g! o& ~, L0 w6 |5 C$ ]
field.
0 A* k, {+ L' @" }# G# T7 ?In fact, its purpose is not to load/unload VxDs but only to send a . x9 K" P: I8 A$ U+ c- q# }4 e& J8 [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 }. l( P" V- P# y6 V6 V8 a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 s# }+ S- c, C" F/ _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 K* C3 J R3 n3 |1 M0 l/ eIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ ~/ X, d5 X) }8 m) d: E
its handle to be opened and then, will be detected.
; o) {" }! e/ R/ b: BYou can check that simply by hooking Winice.exe control proc entry point# P+ O! g& R, @4 ^: |: x
while running MeltICE.
6 D# ]7 g" R0 F4 g* A, A5 I/ d, w$ M
v% k4 ^7 F$ D C$ U5 s9 D N 00401067: push 00402025 ; \\.\SICE C: {6 J' w7 w' Y3 h8 d j+ B
0040106C: call CreateFileA! s+ M9 w) [ v% j0 ^7 E+ `
00401071: cmp eax,-0019 M2 { n& p# L2 y5 |/ N1 l+ v
00401074: je 00401091
4 {! _7 H9 W5 H& W. P' t M( r' w6 {
; N1 j8 W7 r$ q) k1 y& v; S
5 K Q) s2 E$ x" q5 F4 V; Y cThere could be hundreds of BPX you could use to detect this trick.
" x8 m( [8 i3 p! x-The most classical one is:
$ L% ]' O$ B4 h y) u5 E2 E BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 `& h! d: f& f( Q+ P" R *(esp->4+4)=='NTIC': [4 Y6 O; n4 L
# X6 y6 z$ a$ g3 b) O% R
-The most exotic ones (could be very slooooow :-(* j( `: M, i) N$ ~1 {. {; X& G4 H% H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 a/ l- D1 q9 m# h7 a
;will break 3 times :-(
" Q; d" A4 q0 ?7 T/ O" I5 ?) n( p& E$ @; k1 A( a) ~
-or (a bit) faster:
9 M; Z$ `% S! _& x. G BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! g- ~# r3 Z7 F3 {7 Q2 |/ y
5 F" J; t7 T. P4 d$ V2 D8 O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: X3 P5 r0 X" M" s ;will break 3 times :-(8 I. _: p' L6 B7 y, _
" L0 Z# t9 N+ c! j3 W" b& Y-Much faster:
# Q3 T3 o$ {. o8 x) d1 Y7 n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 p! }% ~. H. o: |8 ^' k& G/ h- N5 e6 v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 x' w( i) U. E, `$ T# t4 ffunction to do the same job:! t- P2 r* Y3 A" r2 k5 m
x7 U* k' a) B: u: E9 W push 00 ; OF_READ u) M5 w0 S& G$ Z' D2 a- q
mov eax,[00656634] ; '\\.\SICE',03 v6 d s* E! ^4 t
push eax7 j% |. T, i. a! \& x+ Z- K1 c, m
call KERNEL32!_lopen
6 ]( W4 P( |- t9 |' A% a: `$ m inc eax
, n& I9 W/ o/ C+ q$ G& S; | jnz 00650589 ; detected
8 `) c; P0 C9 G& E push 00 ; OF_READ0 l# b, }+ E m7 i' u, t0 \. d
mov eax,[00656638] ; '\\.\SICE': Z6 N/ C& h% r! @! f2 W
push eax
! w3 ?1 m4 y5 f/ i; N; w call KERNEL32!_lopen
, L' z, r1 d, V1 E4 f inc eax
2 Z8 Q) u2 k! T& j9 N4 K jz 006505ae ; not detected2 F$ q# D% Z7 \; A: X; [' J
: v1 }( e- q4 I+ b6 z8 e1 E# D! \
, R$ n% R# d/ Q7 d6 V__________________________________________________________________________& [* f; Z V9 e* S
/ p! `6 i; n6 T* v$ @- L9 ^
Method 12
2 R" X+ l. A: w( f=========
: l. O* v% n# L j, J3 B+ @: x% M4 s; W, l. @8 q
This trick is similar to int41h/4fh Debugger installation check (code 05
! k5 A8 e; x5 a3 o4 v& 06) but very limited because it's only available for Win95/98 (not NT)
; {1 Z- \$ j; ^$ r( v5 a" Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; w- x# @9 b5 o5 T- w' f2 \
" X: [6 G- f; M2 C7 F V* j; k X+ D- r push 0000004fh ; function 4fh( u+ V, Z& M3 g B7 K+ l0 o
push 002a002ah ; high word specifies which VxD (VWIN32)- ~! ~- C7 E% J
; low word specifies which service
' L. U& ?2 o1 W1 \/ D7 C# N# I# A' } (VWIN32_Int41Dispatch): z: A6 g) n0 l* f
call Kernel32!ORD_001 ; VxdCall3 r2 _6 @( K+ V! X; Z2 w
cmp ax, 0f386h ; magic number returned by system debuggers
+ V7 [( ~/ @) N, K y jz SoftICE_detected
) B2 A" G4 q# Y, U1 ~: c% z. V& e$ X, i, M0 Q
Here again, several ways to detect it:0 t* Q) {+ Y; K' b# _0 e* {
5 M8 e7 V' d1 }9 N( I BPINT 41 if ax==4f3 g7 c5 D3 B9 j# [; m4 b
1 ^: A! Z) B+ x ^$ v BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 J4 D2 j4 \2 B
4 ]- D! |( d r0 B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) N" K# \& L. d! e1 @. T4 C
5 V, R2 [+ ^7 @* l3 U BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 V7 ^( P; y) W( ?& Y7 z
7 w' q/ u9 \, z& ^1 U/ Z1 L4 F
__________________________________________________________________________
3 T' c/ U$ y6 y# R6 i9 s+ O( t9 d6 f/ N& ?* Y* x" ?( i! o
Method 13
5 J g: N0 k( I( v6 q3 ], N0 Y3 N; L7 I=========
) T8 N4 {* S0 c6 ^6 H3 F
7 F- t+ \3 t2 P) S6 f" Y) K" bNot a real method of detection, but a good way to know if SoftICE is) a. c9 @# N9 p: e0 ~
installed on a computer and to locate its installation directory.; K, l2 M {0 a5 m3 s
It is used by few softs which access the following registry keys (usually #2) :7 ~" V; Z0 u% c4 `% C* n& l
I6 q0 H3 v) }- A$ e% P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: _+ X) s8 `0 d5 m% p
\Uninstall\SoftICE& N: ]1 B$ a2 V% {- h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 ~% v& Q6 q% i; ?# k( V- U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 m3 e/ J, w o
\App Paths\Loader32.Exe# F; u6 e! E, I" V
% V2 G$ m2 b5 A. t1 M
5 {$ I2 [; ~1 f; U' X2 v: _
Note that some nasty apps could then erase all files from SoftICE directory
7 n! O8 _! R( M7 B- d(I faced that once :-(4 j$ m, G: K1 A; z3 d h& e6 s
' h% G+ X6 G4 t# I5 l
Useful breakpoint to detect it:
0 b* q' Y3 u( {1 V: ]" y
, x* p. W; o4 e2 R. p BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: s# s8 @! Y% W* p4 Y1 W0 ?; M4 D& ^3 r6 ?! v
__________________________________________________________________________
& G/ T" n) R4 s; S" ~
5 T2 ] Y# f g9 U: p L$ e, h2 ]$ T8 l% P7 {' x# _
Method 14 % {3 @; Y* J7 o6 s
=========
) g1 @) x1 J$ u' v0 a* ~( }! a2 ?( W5 A+ \) Q2 x5 E3 l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 x& a) U" V7 t W# Xis to determines whether a debugger is running on your system (ring0 only).
) c1 R4 [ o" o' K& O. w
: B; F5 i2 l- ^% v- l* y VMMCall Test_Debug_Installed
& o' `7 g& E$ |8 t; b je not_installed) @- t* u& t! ^- ]
$ D6 P% m6 {& V+ o
This service just checks a flag.9 h" a* Q3 `, H8 S4 h0 k
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡