<TABLE width=500>( D2 r5 O% Z5 E7 {' @1 E
<TBODY>& E* E2 H7 Y- U1 v
<TR># ?# ^, I* N. O. R
<TD><PRE>Method 01 , `" V0 P# H1 w# Z# B2 w8 ?
=========
( d, r0 f; z8 C% w O8 J
" P' G; N7 G7 a) @This method of detection of SoftICE (as well as the following one) is
" u: c n, o: q+ k2 Vused by the majority of packers/encryptors found on Internet.
a- L& R$ N; tIt seeks the signature of BoundsChecker in SoftICE" w' w! N6 _8 g. `, x
2 X- j: x1 Y& G8 ^7 N% L | mov ebp, 04243484Bh ; 'BCHK'5 X9 P1 k0 k+ F1 G, k# ^. k
mov ax, 04h7 U# D9 G% @( A8 x: o
int 3 * }: h% H% }! [$ p. t
cmp al,4
- N9 G5 h* f( v8 E5 M jnz SoftICE_Detected
$ Z1 _/ F; D1 y# Z+ I! @: E
& [1 e/ Z- E: n; |6 M) J5 k# O! w___________________________________________________________________________
# h Y, Y, h5 w; n% g# h5 T5 G; v3 Q% G1 B5 G7 B, l
Method 02
. }# \# U. g- Z; x) Q* ~6 G=========5 r: x" E( c4 d; ]3 ]' P9 D
: O& }9 w* u. X% V6 [$ z+ e. M
Still a method very much used (perhaps the most frequent one). It is used
9 c# |0 {: V6 k' Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 ]; n# b R) Z* K: Uor execute SoftICE commands...7 F; N4 H6 d% a2 \7 y% |. ]
It is also used to crash SoftICE and to force it to execute any commands9 S. J. Y- r3 Q; x( w
(HBOOT...) :-(( ! p" j" c5 B! I& d& |
k# i+ ], g( ?+ O4 pHere is a quick description:% e& I9 P- G$ ?3 j& A: g1 E
-AX = 0910h (Display string in SIce windows)
+ M5 R) }) e& L- |4 d-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 d! \7 S" {" q( b-AX = 0912h (Get breakpoint infos)
( W. K, M4 S8 a* H0 ~+ y: ?-AX = 0913h (Set Sice breakpoints)* d% \$ {% M# I* l: {1 d$ j( l; u
-AX = 0914h (Remove SIce breakoints)
" o% Q; T& U& {) `2 {
! C4 |) Y( q6 v* K. k9 GEach time you'll meet this trick, you'll see:/ A0 Q. N- N& z0 A- E. d
-SI = 4647h7 q# p. j+ S0 u1 V* D
-DI = 4A4Dh
4 P/ P$ [) j n5 ZWhich are the 'magic values' used by SoftIce.: _" d' D1 K1 g$ M$ g' {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 d3 n. O6 c/ K5 J( N* I4 n" g& Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP( R, n% h! q. ]% l; ]% ~7 K
Envelope utility use to protect DOS applications:
& b% q( z; R* I& k: `" h, ]. `6 U$ W, I' X/ b3 Q
5 H1 W% r$ K2 p- h* k6 {
4C19:0095 MOV AX,0911 ; execute command.
: S( A0 W/ `0 J% j: ?! m9 U0 S* h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, t3 d& L' [7 \) z) w/ Y6 x4C19:009A MOV SI,4647 ; 1st magic value./ a- _+ e& F3 \3 q
4C19:009D MOV DI,4A4D ; 2nd magic value.. o! ]; u! }$ ? d! }1 _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& W2 w6 x0 H% j$ m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 S8 p r! F; Z) y# e, v t4C19:00A4 INC CX
/ s. P1 a- i3 S8 b# R, y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ t$ j7 u2 o& E B4C19:00A8 JB 0095 ; 6 different commands.
) \* G3 v4 l3 o7 C( s$ | f. d4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 D) n8 b" M/ B- U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ A3 Y; R/ l; [* ]. d+ N: _
6 r, u7 n% \+ X9 }The program will execute 6 different SIce commands located at ds:dx, which
' c. ~, @ U/ Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# |& f$ U# s6 g5 O+ ^) U5 G0 a! a6 \& d3 e( s, V4 ?: V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 Z- S8 a7 s, |( I1 ?9 }5 F8 }___________________________________________________________________________) |$ a5 ^2 X0 w
2 _# [5 l; C* D9 b. c Z7 A" x
# r; d" G6 t: I* dMethod 03# n( x$ t5 `" d: Y! c7 I, L+ n
=========
" |" V! P' E- C) m' P4 D/ G4 s: Q% A; _
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( X' `) A$ p. e+ W( s(API Get entry point)* h+ r* Z m! ^
& Y, \1 ^0 Q- M! h9 B- d! |
- `( T) p/ D) c xor di,di" p2 W# i! G0 G6 z7 e% v; D( f0 Q
mov es,di
+ w$ W2 a7 K8 S9 |/ S5 U mov ax, 1684h 0 `% \# J4 u. C. K+ f( U
mov bx, 0202h ; VxD ID of winice
/ o9 J; i6 ]$ u4 h* h. Y( H int 2Fh
, d6 [8 q- K' ~ h/ P; S+ } mov ax, es ; ES:DI -> VxD API entry point9 H% l& J6 g$ F# _, j3 C
add ax, di
8 f6 y. y# d' S% F# q; J- A1 m test ax,ax, B: I$ c; d; [" K e( B
jnz SoftICE_Detected. v. t1 s, i* Y$ Q% \
^' X2 O' P$ S# F5 u2 f+ d
___________________________________________________________________________8 F: G2 I& y0 s
& r! X( b4 ]( BMethod 04
9 t% {; ^# W4 f c- d6 N* ?8 @, O; R=========
( ?. s7 v* Z v0 T( K% j" L4 ^, \; h& t" B3 H5 w8 {
Method identical to the preceding one except that it seeks the ID of SoftICE/ C' g5 c8 M: G+ J+ r$ v# w
GFX VxD.8 V0 l- b! I# ?( T" H# s
7 l4 @( O6 C4 p4 K5 i
xor di,di# w$ I r6 r3 @- V" x; G. h" F
mov es,di+ h% o4 q* V% J7 B9 _% G
mov ax, 1684h ; v5 g- L9 V6 i4 b
mov bx, 7a5Fh ; VxD ID of SIWVID5 X& ]. ^) f$ w5 Y4 y, K
int 2fh
( s! L" F+ B2 y; p, X: ^ mov ax, es ; ES:DI -> VxD API entry point8 Q" B# s9 I7 L* y: o0 z' F5 U# H
add ax, di- |: Z' \5 ?5 \
test ax,ax+ u% D# ~0 u& q+ k; P% }
jnz SoftICE_Detected
) c( \4 O/ B/ Q
2 w, ?" W2 h, C__________________________________________________________________________1 Z/ Z8 T& c; t
- G7 I) T5 V) U( k. J
( Q1 U1 X' S7 I; N
Method 05
# e1 E4 C+ {) U+ J [, Q=========+ v4 @% H: ?- t7 G) ~
% J: G8 }( l+ X" E( L
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' l4 X$ C2 K% K* w, Q, D0 c3 bdebugger. It calls the int 41h, function 4Fh.& h) Y- z, C! R6 B6 i) y, m
There are several alternatives.
" A4 ~& y9 \9 c2 B. U( F' I3 f- q6 h5 W9 c
The following one is the simplest:, o. @- L3 |. c. t; `
+ J* j ]0 z1 L
mov ax,4fh! \# t1 l) e3 E5 X
int 41h8 M. x4 u" t8 B% [$ I
cmp ax, 0F386
. \/ S( T; G4 j2 e* ~9 M jz SoftICE_detected# h% q3 K0 @( ^
6 g& B% _/ {6 K: `1 p
7 p! D" K7 ?% R7 _( ^9 e: \7 yNext method as well as the following one are 2 examples from Stone's
. B7 Y' ?& s" T9 m9 L7 L) g" N"stn-wid.zip" (www.cracking.net):) |# h6 W. \' x* {3 p( K- k
/ }8 e5 ?. V- t' o
mov bx, cs1 K' ~5 g5 r, F1 c
lea dx, int41handler2) x; Q5 S; n7 z( Q
xchg dx, es:[41h*4]
: R) C7 [$ Q# S+ ^' l9 L, I5 _3 ^ xchg bx, es:[41h*4+2]
, n1 i( F5 {2 H' ^9 ? mov ax,4fh
$ v! `1 c. w3 g p5 f5 Y5 b int 41h
3 f+ C$ Z+ c* e6 o; G: e: D( P) e xchg dx, es:[41h*4]# d% P* k6 h; P8 P F
xchg bx, es:[41h*4+2]
5 I" a5 q! g0 @" ? cmp ax, 0f386h
2 S _/ z8 A7 D# `/ l jz SoftICE_detected# v4 H. F. n: y+ R$ C9 S: E5 R4 y
& X/ ?* j$ C% s7 f* m( {int41handler2 PROC
' J& w4 s+ b2 w7 `- H% U0 O iret
5 W- A! k7 ^) c; T" I8 sint41handler2 ENDP: J& u5 G2 `% f5 A i, l8 l
8 n5 L5 v$ ]/ I5 d; `8 A* r- k. P% Q! u5 E+ C7 B
_________________________________________________________________________1 g+ N1 m7 p- t9 P) ? j. }
0 d% J1 N9 W; R: K
: ]% G# K- W6 t% ~! H2 k
Method 06$ M7 c4 V% |+ a' ?* Y
=========
: {$ d6 @3 I( E
9 {! ~! _! e" d2 R& c
6 ?* |( T' N( w; r2nd method similar to the preceding one but more difficult to detect:
$ A' r' x4 W' _# F4 w8 X/ p4 l. x. c- J3 c2 o8 T8 A1 I
: R" U/ z- O4 ]
int41handler PROC" |: O/ K1 }/ a8 n1 n$ K2 X0 P) n; x
mov cl,al* U4 V7 ^- B4 h3 S2 G
iret1 a6 [7 Z/ N# f, |7 h
int41handler ENDP
; R p. |% N# Y+ N* K( y j) c) {+ H5 B3 f0 \8 i
* J4 U. p1 L4 ^4 E0 V y/ Z% o xor ax,ax/ G; O: z& e/ q1 s$ V# q3 M
mov es,ax, Y/ i: E! Q) j6 p) J* U3 a* Y
mov bx, cs5 K/ Y$ s( k% L0 W5 \
lea dx, int41handler+ \1 U* V) u% T! I
xchg dx, es:[41h*4], i2 ?' [- M3 n2 J, @1 n+ A
xchg bx, es:[41h*4+2]8 g8 `: @4 W: q; R3 a/ n4 B. V4 ^
in al, 40h' s" R+ ~- G+ N/ M8 J
xor cx,cx* j; I' u2 ^$ E/ L Z4 b8 ?( G
int 41h
: g `+ W3 s& [$ Q3 K& a! o6 f xchg dx, es:[41h*4]
% V$ W: R: l9 X! c, e7 W xchg bx, es:[41h*4+2]
Q- V" {5 t! {: ?4 V( e cmp cl,al' u! z0 B: \" i
jnz SoftICE_detected% ]3 }9 A+ D- e; Y0 C- p% F8 v
+ [( Z+ k. v! l' M4 }: g2 O8 {_________________________________________________________________________6 S+ X5 `, ?3 H
( U3 G& Y* c2 b V. s+ S4 O2 A
Method 07
% ]( I9 H) I; |. R b/ w# O# F, N=========4 V3 z9 `) I; K$ r) N, S! u
+ O$ r2 j$ V4 l& {: nMethod of detection of the WinICE handler in the int68h (V86), [" V9 O& h$ F9 n- N* x+ C
% c5 `+ x/ M- g: u! n/ v mov ah,43h
) R" j w3 P6 O. y5 z* J4 I int 68h* C7 F1 Q) B# B2 A
cmp ax,0F386h* A0 j1 c4 A: F0 y
jz SoftICE_Detected7 v* |3 ]3 l: C- m2 {5 P
- g3 F" B8 R3 ]2 g/ n+ P
( R" [: r4 R+ ?
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ e# f0 W4 |7 S) d1 M( h app like this:& e5 P! h/ u3 _4 q
) n3 ?* J$ ]: y% W& x BPX exec_int if ax==68
) F% `2 o. {4 i0 E8 Z* C (function called is located at byte ptr [ebp+1Dh] and client eip is: {6 M5 T8 R! F4 B) z+ `
located at [ebp+48h] for 32Bit apps): H, T- F2 j, C# L& p
__________________________________________________________________________
+ x. }7 J; H1 [+ D6 ~' _- x8 k/ k
# ~6 ?0 o8 H# ?& X! I1 Z& ]
$ |8 {; r: ?, Q5 s* i1 gMethod 088 V% @4 ]1 I8 a+ g$ A, C% V
=========
% j. e/ o9 Z6 C# M) R9 w! u3 N" a( l
It is not a method of detection of SoftICE but a possibility to crash the
. e, r! q1 t" V4 v" Nsystem by intercepting int 01h and int 03h and redirecting them to another
* o; M4 u/ Z! t/ U5 _1 K, groutine.* h/ s8 j4 h" [; n) E! k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( \" G) [1 D# C0 ]( }2 Ato the new routine to execute (hangs computer...)
% w' ~ N2 u* `" i Q- H9 |/ w4 O$ R, F A
mov ah, 25h, I* g2 K. Q, K! y% k. V
mov al, Int_Number (01h or 03h)
g+ `. o; S9 X' D+ N+ N mov dx, offset New_Int_Routine6 q: A. d4 D; j' s* A9 s" o
int 21h
v5 g! \- {& {9 J" O
! k$ `5 D" q- H$ ]0 k__________________________________________________________________________
' O3 U( U/ W d1 a* r6 S" B I- g; w
t; y5 ?3 b$ hMethod 093 H& U) e2 G0 @% q$ f/ o" O
=========0 O. W$ N+ m2 a$ n( p1 h( s' z
5 N" W. T' d8 X3 F2 O( D# K" y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 Q; i+ L0 Z! m V) V0 _
performed in ring0 (VxD or a ring3 app using the VxdCall). b* n* k8 e, J, z# |+ ?. U/ O4 U
The Get_DDB service is used to determine whether or not a VxD is installed. S! v" @; E! L' G% H# u8 n
for the specified device and returns a Device Description Block (in ecx) for7 }1 m1 F, X. { G2 P8 G
that device if it is installed.
3 T. e: A1 P1 Z) l, c3 R/ b' Z
: o; p! g4 `. {/ x) q/ a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 a" V5 N& @7 S7 i- F+ y; i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* w9 p* ^, j8 ~7 i VMMCall Get_DDB& [3 ~$ P+ T% Y$ [2 ^' }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; N. F6 n- {& m6 c. r# E% ~4 a0 Q
( A4 Z& s% x$ k; x M5 t
Note as well that you can easily detect this method with SoftICE: b& A1 z6 G. y! @9 i" f! y
bpx Get_DDB if ax==0202 || ax==7a5fh& p4 m0 L% i1 U" e; {
# o+ h* M- l6 @5 F$ | f
__________________________________________________________________________9 q# b- D0 {' X4 X0 e/ Y- H$ L
- N9 S" D- K; h* Y; ?% Q9 |Method 10
3 _$ ~0 z. R5 H- f0 }0 f! \% ]2 q=========
4 p- D, a+ d8 n: t6 F) Q, b+ i8 c3 l3 ^# c; w- \& ^1 @% F3 f+ W
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ {! e. J5 D/ \4 A5 Z/ ^+ k: V, w
SoftICE while the option is enable!!8 [9 j8 v9 l, v9 X
, x4 v& l( s% [ H' `4 w
This trick is very efficient:
0 X' d& O$ \- s5 j! d9 u6 B/ q: Zby checking the Debug Registers, you can detect if SoftICE is loaded0 ^( F* U5 Z6 [/ u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& n I3 n! ^$ j5 T6 rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ X X, m/ Y) P4 o" r6 O. _6 _value (in ring0 only). Values can be manipulated and or changed as well1 M) J# X( z# l2 Y
(clearing BPMs for instance)2 {4 e0 T# Q% D0 N& o
( u, H/ q: h3 S- E& N& r& C' m__________________________________________________________________________2 M" ^9 q( f8 X; p$ V
4 f( N; ]0 D( ?9 oMethod 11- o3 r- f8 H* T8 d9 W5 A' H
=========
0 q# ]5 U9 y5 m4 m) n1 G V D0 P
This method is most known as 'MeltICE' because it has been freely distributed, Z# x! x/ }( o
via www.winfiles.com. However it was first used by NuMega people to allow
4 p% }4 X8 v- c& z3 m) DSymbol Loader to check if SoftICE was active or not (the code is located
& j9 h3 Z2 w* O: o; i, dinside nmtrans.dll).
# Z3 p& V2 v* A& X" T1 A; ~8 @
$ }. P+ Q( r5 g& U* R6 _/ k! G/ VThe way it works is very simple:
* @% E$ T7 S0 nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. O$ E5 G, A2 U" i6 B# sWinNT) with the CreateFileA API.
" [$ T- Q7 z) W- L: K# H' o4 S- S% K+ \
Here is a sample (checking for 'SICE'):
8 o3 m1 X. b4 n( x" Q9 e3 q: e! m1 m
BOOL IsSoftIce95Loaded()
9 Q2 N8 |/ k* Q4 P; K9 x{
; W5 A, e2 W2 P% E HANDLE hFile; & \* b$ o! b6 e1 i0 w* v
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 A o* A; Q/ X+ c3 t( i2 q+ ~! f' O; U FILE_SHARE_READ | FILE_SHARE_WRITE,
. g- L4 ?9 r; Y7 O6 F' z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 j3 w7 B a* w) q if( hFile != INVALID_HANDLE_VALUE )2 i$ E0 U2 ] Q( O ~7 ^0 ] F3 n
{$ }* A5 w7 Y# Q' B) ?2 l
CloseHandle(hFile);
5 K/ E$ M9 c a3 |3 p3 ]7 v return TRUE;
: o" n3 H4 s0 z$ f7 l: Q }( d+ b* O( h4 h, l9 y
return FALSE;
# |3 G: y% d. m% P& ?; a# C}5 u. ~# \" b% O ^0 K
# _9 X9 U) F8 r5 rAlthough this trick calls the CreateFileA function, don't even expect to be
+ n, q9 Q }) Fable to intercept it by installing a IFS hook: it will not work, no way!
. F) ~0 B% r6 Y1 `5 Z; lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; z3 k9 f( m9 R# p& \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" c# Z- W! F% P! F& g3 eand then browse the DDB list until it find the VxD and its DDB_Control_Proc" B! n( X) q7 R! y
field.
' A# j+ |7 @% ~* vIn fact, its purpose is not to load/unload VxDs but only to send a
7 z8 f2 U+ N+ ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! t" N' ]6 A C# _; P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% n% _3 a' u0 e: @8 {$ C3 Q! D$ vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; u3 \2 R6 @8 HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. {7 u8 V6 g3 ?$ w% q: Uits handle to be opened and then, will be detected.( l8 Q8 V$ P$ Y9 m9 p& Q
You can check that simply by hooking Winice.exe control proc entry point
2 {) ~ H$ n3 P& zwhile running MeltICE.
4 z9 L( z0 k/ I' H9 A. Y, G: _
9 e. D) l* S+ Q$ c B S; l: P6 B: I2 F7 H( J
00401067: push 00402025 ; \\.\SICE! e$ T0 D" t0 |) L" [* ^; N& [
0040106C: call CreateFileA
6 d6 o$ T$ H% H b6 P 00401071: cmp eax,-001
6 L! W+ g* f8 B' N+ f 00401074: je 00401091! N8 j# @+ R/ T/ R: I4 b6 I* L
/ h6 F9 L' z# S, ~9 ]6 z6 X* E% N9 X+ v' l- W/ D* B% p N* K
There could be hundreds of BPX you could use to detect this trick.
. u/ r$ A3 F3 o' f x) ~-The most classical one is:
/ H0 G/ t- z; T8 s* L5 L% e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" i7 u0 Q$ e( S& [
*(esp->4+4)=='NTIC'
: [4 `5 W1 f6 q1 }2 {
0 u3 }/ t- i; ?, B-The most exotic ones (could be very slooooow :-(9 g( q) P8 p" T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( W+ T& W' H. t$ d0 q( N ;will break 3 times :-(& H" j, f9 }! |8 e8 x+ t
0 L3 l8 R# @; l: T
-or (a bit) faster:
2 ?% g7 S! k0 b4 H/ h' ~' w5 Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 Y3 L3 e: d" I) i0 N% _
( k. C# W# U' S BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 u1 q) U. q8 H
;will break 3 times :-(
4 ]7 @7 I$ v0 Y [. A9 D
. K( N/ `8 A e; Z/ @; f-Much faster:6 O$ {( d5 p7 m. w+ O( ~! L$ L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 k2 N) x* S% b. |8 I
3 S7 Q, N, r. I, UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# ~0 p9 I8 l2 `4 O% M8 ~function to do the same job:
4 U+ l+ R3 E9 `( M9 w* P& g* f' G) g3 w/ N9 v
push 00 ; OF_READ
, P3 Z y, p$ m' U2 ? mov eax,[00656634] ; '\\.\SICE',0
/ B' q! N. f% P* u6 e4 w push eax3 e. V9 Z7 x- V
call KERNEL32!_lopen' U8 D% m1 f1 P0 m
inc eax, r! I3 N2 J$ h% L8 D( U8 S
jnz 00650589 ; detected
: `9 r& _8 x; }* d- z) I# I' v) Z push 00 ; OF_READ
+ w( S- m1 c, l( |! [ mov eax,[00656638] ; '\\.\SICE'& R \" E& Y3 P) b0 U& |* j3 U; ]/ F
push eax% ]+ K0 g G) s2 q+ i% }
call KERNEL32!_lopen
" S* I1 P* B# q inc eax
; k2 e& Q! r \8 _ jz 006505ae ; not detected9 w& b$ S6 y' ]
, C' ~2 E7 ]3 X6 N8 f
& k; Y) h$ |( e$ \7 y7 G5 P0 J
__________________________________________________________________________! m1 |; A, O& O% J' j% A
/ Z. J3 d! o; f' j, R
Method 12
' k5 o) Q+ O; @7 A) H5 S=========. c9 h7 w, p& M" a9 O0 o) X% U: l
) h/ I* u; U3 D# V) x% oThis trick is similar to int41h/4fh Debugger installation check (code 058 P' {1 ~2 x3 i. R0 j c o
& 06) but very limited because it's only available for Win95/98 (not NT)) x* R C% K# v! _4 E) p8 L- b+ |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 T8 f1 y" b/ e. }1 W
, S$ V# B6 v1 m# U' r: J' I push 0000004fh ; function 4fh I+ o4 M3 T( n m$ n
push 002a002ah ; high word specifies which VxD (VWIN32)- ?" ?- K9 `; V2 {5 H
; low word specifies which service/ P" `+ e) N$ d; m9 D
(VWIN32_Int41Dispatch)
0 {! C! B9 W" B. b# I7 K6 Q. c call Kernel32!ORD_001 ; VxdCall
" g1 T5 X' z% `& Q$ | cmp ax, 0f386h ; magic number returned by system debuggers
! ^; d; o8 g; {$ w+ M jz SoftICE_detected: H3 i C) f; K6 S ?
) x# `' n- y m$ Z8 R: I
Here again, several ways to detect it:, Y' [- ~4 p2 m- e$ u4 ~8 d0 J
( P* U" t; R/ S1 Z- x, I1 ?. W BPINT 41 if ax==4f! f' a2 X4 k" D, U" F% P
6 f# n) w) `$ ^9 o% u# D% f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) z3 } m: c) `8 `; k1 N' C: h t2 T) C# f; m, c) g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 c! e* [; [/ r( \ G, E+ T2 I2 S! M
" Q" D" H1 Z; N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; n: {$ ^( W/ z& M% p7 R
" N% u* P$ w: G) G8 Q) |5 E
__________________________________________________________________________" R( o+ {- y) g/ e
! C2 U# P1 g* J5 b) g1 |* LMethod 13* i0 v: K8 Z5 I. C4 B2 l3 a
=========
0 }5 X4 q S/ S( Q8 g; X- _& m# h" `9 L/ Q
Not a real method of detection, but a good way to know if SoftICE is
1 z& Z4 v" \; V& iinstalled on a computer and to locate its installation directory.2 M t& ]/ n0 W! R# ^& _
It is used by few softs which access the following registry keys (usually #2) :
' q% t$ U; S1 z x9 x: A9 J8 T# q' y2 c# C5 b$ F3 w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% h2 L2 W) E+ Z* U
\Uninstall\SoftICE
) ^" _& ~ A) \) t% p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ F0 k2 t: w3 M- r+ d6 N4 b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 [) b% X& f% \4 g* [\App Paths\Loader32.Exe# y9 J* J( ~+ l: k) {0 [9 \
% j" U# I" ~, {% o* ?7 g7 m" t& L7 Z' r; X# y i; y% ~ ^) D
Note that some nasty apps could then erase all files from SoftICE directory
; S& s5 ~& a/ O5 s(I faced that once :-(0 g2 m' G t! t' F' C# f
5 ^# [1 O' S7 N& HUseful breakpoint to detect it:; R! f5 X- O a( r- @# c
. c! S& p9 e0 o# r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' ^# X' p0 N5 ^
- A5 C9 p& T, f$ c- k- L% g1 x__________________________________________________________________________( H L) `0 t- e8 ^* W5 R0 u
- x7 p9 q) L' h7 ~7 ^' M9 `4 r5 z
Method 14
?) H* R L! X# F$ w=========
@* G: l4 j5 z, x& }' |, Q, }! W) Z; W3 z4 h& {( [9 E+ m! }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 F; G; Q% B/ z# Y. @! ^is to determines whether a debugger is running on your system (ring0 only).
8 P( _. i# Y# t7 @: `! I- F) U6 X6 l1 g3 X- o6 v7 ? F- `: H
VMMCall Test_Debug_Installed
% W; C" {$ ]- ^1 z/ y2 o je not_installed
1 h: v7 X$ T9 G2 ^# `/ n$ \, H( e5 }8 _: H) U
This service just checks a flag.
@2 a/ _% v, l; l5 ? U</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡