<TABLE width=500>
: K8 r5 p6 w- k# U4 K* w6 A<TBODY>
& J0 T" u4 Q9 K) E<TR>
* `) Y+ x. E, G) X) ]- X<TD><PRE>Method 01
t5 B7 r4 F0 Y5 G0 e=========9 P6 e& x V) I: i' h9 A. e
. x- G: I. Y5 H" Y
This method of detection of SoftICE (as well as the following one) is% Y4 |: T) b0 w) n0 U
used by the majority of packers/encryptors found on Internet.
. C/ g7 Z( v9 R6 H0 Z6 l3 o# EIt seeks the signature of BoundsChecker in SoftICE
" G: Z. G! h* C- }
- o' A6 P) I* _ mov ebp, 04243484Bh ; 'BCHK'
7 P7 q% `; p$ I3 a! e+ _7 g* @$ j mov ax, 04h
6 [) y6 Q) a: F7 S3 Y& k6 z int 3
9 E! Q' t' W3 \$ ?$ g cmp al,4+ \3 W& j. I( a0 ~ h! f" y3 D% h
jnz SoftICE_Detected
' C) f5 s. F( t. g
/ U! i* Z+ ~) O+ n) x5 `___________________________________________________________________________4 `$ A6 D" ?' N, d
+ G3 F I8 j2 B- n" H" \" Z
Method 02
5 a% d" q+ S5 C0 E' y=========
. X5 i* _% S: ]8 ? J2 K9 A9 [3 Q# `$ u9 [. D$ @4 D% i8 \
Still a method very much used (perhaps the most frequent one). It is used; a1 ^; h; j+ k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) T# K; m2 x& h% p7 v
or execute SoftICE commands...& v# F2 _) k% w- x6 X9 G- h
It is also used to crash SoftICE and to force it to execute any commands0 ^- P& X4 F' O8 p
(HBOOT...) :-((
) t' i& J& a* K- u& I* [+ ^6 d% H( s* g% g* ^
Here is a quick description:! h/ x/ Z' u0 c
-AX = 0910h (Display string in SIce windows)8 _1 v! n/ a% ^' X; x2 R6 n* b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ f9 F" Y6 ^ J; c- n$ X( L$ V% v-AX = 0912h (Get breakpoint infos)& e) v ^' M' w; }
-AX = 0913h (Set Sice breakpoints)+ t3 f6 h+ m8 E; {' w( K- G
-AX = 0914h (Remove SIce breakoints) G, W0 J3 J1 ^8 A
( e! z$ o" Y7 Z7 v- t, GEach time you'll meet this trick, you'll see:3 e1 v& H# l3 s2 I
-SI = 4647h/ k& h: t' F, h& Y) ?# ~
-DI = 4A4Dh+ _1 H- l- N$ k* O3 J
Which are the 'magic values' used by SoftIce.
( T- ~. {8 l0 F& ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; t7 z* F( o, t( p( M
5 k' g# h% W* r! v. x V
Here is one example from the file "Haspinst.exe" which is the dongle HASP Y5 {# X' U o' W; i( v6 O3 f
Envelope utility use to protect DOS applications:% x/ n+ H5 J" ?
( q! \) S, ~/ B9 A/ R: [
. \( K1 A4 L. V3 ~9 [4C19:0095 MOV AX,0911 ; execute command.3 I& w+ U5 N- b
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. {% j& m/ w0 m) I3 S) o3 Y
4C19:009A MOV SI,4647 ; 1st magic value.
) u9 K9 L4 ?1 D: ?- w/ `. d4C19:009D MOV DI,4A4D ; 2nd magic value.& _1 | B P( l; ^* A4 O+ R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% j# B& L+ I; q7 o8 a0 W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; m8 e( Z7 \+ ~2 |1 Q0 P+ p4C19:00A4 INC CX
5 l) ?- h) l5 q9 r- ?, l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; P& ~+ y$ c/ T J) V+ @4C19:00A8 JB 0095 ; 6 different commands.
7 w0 [% T, M0 O7 V, E4C19:00AA JMP 0002 ; Bad_Guy jmp back.: x$ n& D, n7 V
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- d3 _- r" _' u
9 o( H9 g+ R: l P3 J
The program will execute 6 different SIce commands located at ds:dx, which
( K' ~5 C+ G$ }: uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 Z9 h* B2 X9 S" |, M6 l+ S" N2 m2 b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 G. ]' z. X3 A3 f& [1 H___________________________________________________________________________
. D+ u2 t8 c' B* @% |# B) u, v4 C0 b
4 B2 B/ d3 j/ h) ?; r I3 n" aMethod 03/ L- A. e) \6 _$ \. x' O2 L
=========; r: q2 |# V0 g* V
9 U& R& }: s H* X& yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 }: t. m5 K6 E6 u$ o( k- r(API Get entry point)
7 ^7 l0 Z/ E+ k. ^1 g# X3 F" n+ k
* o" |. I$ N, z. x# L: X+ q% _$ X( u& \3 e
xor di,di
; ~! c3 h N t* t7 \) P, v# } mov es,di
4 N% r. R) [8 s5 `% k mov ax, 1684h 6 b: x0 D7 B4 N
mov bx, 0202h ; VxD ID of winice
& r- q, J( t* p# o0 e int 2Fh
0 {: p5 d% ?9 d! R# b* k3 y mov ax, es ; ES:DI -> VxD API entry point5 R" @( d. A( f' S
add ax, di7 w' p: M* ^8 D# S8 m* K, |
test ax,ax, v1 n. m, H# n: k$ _8 W! g1 O
jnz SoftICE_Detected
" f7 R1 h* }; T, b) n% B* m7 Z+ a( X7 m
___________________________________________________________________________
) ], I, ]* ^* z" C! c9 O1 K. k$ k( @. A! P) _
Method 04/ Y; M* ?- i/ @" V2 H
=========
L- r3 B4 @0 Q; c- e" ]6 P) n
, j% q: q& P9 c$ z" w5 C. q& sMethod identical to the preceding one except that it seeks the ID of SoftICE7 n: u6 A! n7 q* r/ X1 d
GFX VxD.
9 p$ `! w8 j$ d0 ?2 S
( b& \; \1 Z( y7 \ xor di,di& q4 M# a0 N& ^) K2 G
mov es,di/ z4 v' c: M, i; u' l4 J
mov ax, 1684h . _4 L3 t: n- M. O
mov bx, 7a5Fh ; VxD ID of SIWVID" [) J2 f0 U, p0 }
int 2fh; ?5 ^0 {+ I3 p# }* o
mov ax, es ; ES:DI -> VxD API entry point
- J1 v! I g7 ~0 {$ E7 L& i& p7 E9 z add ax, di
/ e6 _3 K; i% I, k4 G7 d test ax,ax
& n2 w1 ?# Q4 K+ @/ E( q jnz SoftICE_Detected
, L2 Y4 x% g; C' c9 v0 u& V6 y9 U7 m; x; i* V9 b
__________________________________________________________________________
0 ^. C+ L U8 G& S" A- b* l( \, \1 U7 `0 J
5 U; u0 i9 ^7 | W
Method 05
7 H! D& B0 k1 S5 Y& f% W5 j=========
+ l3 Y1 E/ U* \' t2 V& S, x- q' x- x; K
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 u3 C$ h5 S+ k0 Rdebugger. It calls the int 41h, function 4Fh.
2 G6 y! F S2 `6 [8 O4 qThere are several alternatives.
( Y/ M# w0 {- ~/ b% x; e1 H; r9 p, t, C- f$ ~8 m
The following one is the simplest:
: K5 }( m9 c1 C y$ x
1 I9 b I# |3 O2 N/ j mov ax,4fh
1 n( [" a) W) c2 i, e int 41h) M$ \( R2 b* ^3 G5 B) F) e' V
cmp ax, 0F386
& @ t8 F" l1 D/ b# W jz SoftICE_detected( {! o2 Z; _( {0 a- T9 T
, C- U3 C; f) J( i# t( a& U0 C: u$ m
6 q2 a) h+ f- Y9 T1 F! K, [
Next method as well as the following one are 2 examples from Stone's
; q0 J& ` @( ]+ h1 g8 Q: z1 f"stn-wid.zip" (www.cracking.net):$ {8 d% H: R9 o0 D1 \7 @; ]# q% B
% g" t- K% y0 ?: R. S* w8 N" c; s mov bx, cs
1 c B: B1 }1 Q/ c! m7 `2 x' B/ | lea dx, int41handler25 E7 s k1 {& _9 P/ _
xchg dx, es:[41h*4]3 {2 c8 S# `% R' r0 @6 u
xchg bx, es:[41h*4+2]
* `6 J7 M# e( ^* L9 S# Y. ^( ^7 F mov ax,4fh \2 o3 n6 D: @
int 41h3 z6 O9 n O1 B% C9 P2 \1 ]
xchg dx, es:[41h*4]
3 [* Z2 {! P8 w# w8 y! ` xchg bx, es:[41h*4+2]' @# D6 _! k: V& d
cmp ax, 0f386h
; g* [5 A, P! `$ C7 G- D jz SoftICE_detected
0 f' w* t% O4 Y+ Z0 A) ^9 d |( a) R1 W
int41handler2 PROC( s* ^0 L0 n! J+ ^) m h
iret
6 B9 ]: w; ^- E4 A, t8 h+ ~int41handler2 ENDP
. x6 @% }; n3 X/ u6 a- ^9 O0 B1 q- i; x7 i: a3 r
9 g: d/ ]1 J6 n I1 |, e5 B8 d
_________________________________________________________________________
1 N6 O, ]* w8 n, @5 R( u
1 d' T* d8 B8 `' M9 {
& c V A. f7 u% z. w. }Method 069 B, G$ U3 V6 @- y4 \
=========
9 Q- [! }2 W6 I* m, b3 a: o9 ?( |9 _
4 W+ s U; L* I2 {7 L3 Q0 P2nd method similar to the preceding one but more difficult to detect:+ x) t2 h# L$ e! A+ s0 @8 j! n
8 A5 Y( F' B8 d
! \$ K* r; u) N" E8 s1 g. c* Y
int41handler PROC* a" l5 m6 ]0 q+ o4 c
mov cl,al+ a1 E t7 \5 Z5 U% \* X
iret
: s! V' ?, b0 q2 ~2 pint41handler ENDP9 E5 ]! c" k. |' [
9 N1 z8 j0 d6 b% j) y& L
- w" Y2 |: T7 K6 M/ z
xor ax,ax
# n+ g! W; b* O0 T" R& t5 L mov es,ax
9 j. A# N) o/ [# i9 C mov bx, cs
# O' R- Y H5 W! G lea dx, int41handler" i6 Q( o% c8 T) W3 W' z& p: d
xchg dx, es:[41h*4]- w# Y) K9 h: @* X
xchg bx, es:[41h*4+2]
9 L+ K0 @6 W5 k1 b: s; C( N8 ^ in al, 40h7 m0 O* C4 @0 j" l C+ J
xor cx,cx# f5 Q; s! H4 y" w5 h3 R
int 41h
/ A/ X+ _. X4 O+ S) ], G xchg dx, es:[41h*4]
}* c. b9 @, H xchg bx, es:[41h*4+2]& v! u( m! S( e: T
cmp cl,al
- q: \' i* r! h5 E- l0 W) ~6 q2 W jnz SoftICE_detected. b) C+ J* R5 u) p5 C S& q
/ t2 F5 T3 T: v1 k q
_________________________________________________________________________
( O8 o! ?# M% }2 z4 w( S q+ |% A$ [7 \. M" b
Method 07
6 _" A' g' \# y; W1 k1 G=========
1 x* j4 t3 C& G0 h( L9 U6 g. ^7 q6 i6 ~& X& v* m& t3 o
Method of detection of the WinICE handler in the int68h (V86)7 T9 s- J* P; j8 j
B$ q F9 y0 G
mov ah,43h$ ?8 S& h, {' l. x+ h$ ]( x
int 68h% v8 J5 o; G+ G* A
cmp ax,0F386h
. q% R; s8 a7 x8 ?. t) g* B jz SoftICE_Detected, V4 I: U" T# A
) D) L# s6 |1 r8 [) f2 z
* T1 b' v+ Z9 d9 A$ p2 j( b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 s; e& C H4 o% D1 ? app like this:
( j: j7 g! r" z) z* S0 j5 F
+ @' L3 I% T- i. |5 [ W' @- w1 ? BPX exec_int if ax==68
4 }$ i1 Y. F' H& } (function called is located at byte ptr [ebp+1Dh] and client eip is
6 @& |+ i8 k( c; D* }+ y j# t, \ located at [ebp+48h] for 32Bit apps), v# T4 N$ j" u( w, n! Z
__________________________________________________________________________6 |3 h* |% p* `0 n7 `& K1 X2 j! W
% C# ]/ Y/ i* z0 J/ j' k3 @) Q3 ^# n: C& r4 f+ K& r
Method 08& A% N4 _) _/ C |6 k6 S! O
=========! `/ e: } M$ G- O
# D6 x1 Y$ f. }
It is not a method of detection of SoftICE but a possibility to crash the
3 ~: H. Y6 b( C& V* T) z$ N! @system by intercepting int 01h and int 03h and redirecting them to another' V3 t* s1 F1 h5 @) x! W/ b1 l; \
routine.
7 ^- y9 Y% m1 b& XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; E7 l& ]1 q8 x
to the new routine to execute (hangs computer...). Q8 }- N9 O) W+ ^2 \
" t" `1 v' \- I3 L$ [ mov ah, 25h
t6 c. K1 v* i# c mov al, Int_Number (01h or 03h)
( \" ^7 Y; E/ J. o* ^! @& Q* a mov dx, offset New_Int_Routine5 |- V' v( V2 O0 P& T; d, y5 E
int 21h5 C+ N% C7 c$ r3 F2 o/ p4 b1 U% t8 k/ y
! l1 H9 b8 }0 D3 ~# M) }9 @# e4 v
__________________________________________________________________________! p* b1 s: n7 K9 x: ^8 s
& W/ j( m" x! A$ f4 ]Method 092 A6 ]! e) C- z$ o
=========$ R6 {' b, R8 v2 m
* y' H" i) g9 oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 q* ]$ [ a0 K1 C9 X
performed in ring0 (VxD or a ring3 app using the VxdCall).6 d2 I4 E( e$ Z2 B+ _5 P1 u+ v
The Get_DDB service is used to determine whether or not a VxD is installed; h& R a0 x; O3 @
for the specified device and returns a Device Description Block (in ecx) for
* i# D% g( J! ?8 jthat device if it is installed.* y# t; ]) L( A2 m' r5 X
& E8 U0 J7 M) x) ^$ d* ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* V3 a, k6 @6 F$ t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. a9 A$ c+ c+ i. ] VMMCall Get_DDB
. y" i+ D* M V3 C0 J9 a; {1 J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( J/ T9 _# E' X5 x' ]6 x. M
( a4 Z6 K/ f y( \9 M1 M: y
Note as well that you can easily detect this method with SoftICE:, H$ m/ }: `! \% x8 r! e
bpx Get_DDB if ax==0202 || ax==7a5fh
1 h. e8 k2 c: a7 W# w2 E+ m h) n, m: U
__________________________________________________________________________
" s4 I9 H* _) y8 O4 ]& A: \$ Y) o9 y8 l. S
Method 10* n1 N7 M" [! {7 U
=========
& s r; y9 C6 q; u# }7 w5 ]
+ \" P2 ^: P2 b" k8 B=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 f- o4 O2 R: {" [0 x$ B! Z! c SoftICE while the option is enable!!3 }: d" u9 K6 b' f; `4 t* K
$ o1 W( w Y1 F. w/ w2 W0 \This trick is very efficient:
" B" k S& Q I& B6 Y; ^, m wby checking the Debug Registers, you can detect if SoftICE is loaded4 a3 g, K8 H' \; y4 _, \# W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. Z# p& I! k: Y6 D1 V0 w
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ q3 v% R9 q2 B& J% l% l" [
value (in ring0 only). Values can be manipulated and or changed as well1 O5 p* V6 q' e
(clearing BPMs for instance)* i2 W$ K" t. I1 Y( B0 H1 I
. e$ P$ Y+ A! n! \
__________________________________________________________________________
% [; l- \) g; ~' J; e* v8 D, R
. b1 @) V6 g8 E) d7 v% R+ uMethod 11% f% P/ U4 H, R$ G
=========% z6 O. a( b% h }& N4 T
* q0 e2 d4 z9 l' e
This method is most known as 'MeltICE' because it has been freely distributed
" ?; d7 E& X& R: b6 E, |; H; a2 kvia www.winfiles.com. However it was first used by NuMega people to allow+ P7 V7 l- w$ x& p/ W B
Symbol Loader to check if SoftICE was active or not (the code is located& N6 F/ X+ l6 Q
inside nmtrans.dll).
$ z' R' c) j. ?+ [6 D) l) U) B7 |- c. _ }; E
The way it works is very simple:% B) I$ Z8 ~; T- t4 D" Y0 v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" _. y: [1 T$ G, M. o+ v$ Y
WinNT) with the CreateFileA API.
& i2 o. S6 F! @8 V9 D6 h
9 R& n7 R( ~" o5 b$ t0 r2 I+ v0 O o3 eHere is a sample (checking for 'SICE'):$ z' h, M/ G5 I# G$ H' D9 \- x
, X; S8 M) V# V* l( c4 ?BOOL IsSoftIce95Loaded()
& [) m9 [8 M3 D' V8 E+ @{- u, M7 v4 H I5 y% i, ~
HANDLE hFile; ; G& H5 r$ @+ ?& m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, ~: }# b/ t; y
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ Q7 z: T6 h! G) q7 X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; Y+ E: N2 `- w% k
if( hFile != INVALID_HANDLE_VALUE )
) s7 _8 M3 t0 D4 R {
4 D- O7 N0 |$ D* h- O- D9 b, J CloseHandle(hFile);
" {3 J5 i8 l, C: Q return TRUE;
" V; m, X4 i. l8 L' S0 L( F* R }( a) R& X6 x3 t, ]6 [7 ^$ g
return FALSE;
8 {. e9 C5 m( D: l* Y" }" U9 I}
" w- M, H0 x+ b" Q5 K9 e6 I! _: z* p; v& X% c& A/ y3 P# s
Although this trick calls the CreateFileA function, don't even expect to be
8 F) _! q, N( y8 f% u' o; T# jable to intercept it by installing a IFS hook: it will not work, no way!, s" H) [/ J G w2 |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& C1 m2 L) X5 V1 a4 R/ bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 M2 ^! U3 e3 r4 L4 s. zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ \: U% D) ]7 Y, n: Dfield.* F- N1 }; _3 Y& ?$ H- s
In fact, its purpose is not to load/unload VxDs but only to send a 4 i2 n0 S* Q) a3 u1 k$ r3 c8 B7 ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 @1 j5 O% s7 w& Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ e4 y, [' C4 i2 sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ C- `) g7 e* y, ]* q1 O4 f. YIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ i- d0 X/ S$ Z9 [% `& ~3 j/ B
its handle to be opened and then, will be detected.
" Y' E, y# T' z: F1 i2 n# JYou can check that simply by hooking Winice.exe control proc entry point
2 ?$ R: @: @) N ~) Uwhile running MeltICE.: {% n% A/ j" c( K! A# T4 X5 y
( P' e' r! ^1 r- s
2 }8 J- `- {! f
00401067: push 00402025 ; \\.\SICE
# E. p6 u0 D) a- k% F6 ]# Q 0040106C: call CreateFileA3 {& M5 A6 n* C: O8 l E3 ~7 _0 j! k
00401071: cmp eax,-001. h$ b. B5 q3 O+ d# o& q
00401074: je 004010914 A' @3 y$ `$ O% w. e* S: B/ b
6 [, l) ?* z3 H S
4 w' d8 D) I: W7 t& [There could be hundreds of BPX you could use to detect this trick.; a5 g0 {# n& t6 u7 }0 @! K5 O& Z
-The most classical one is:; R( }* e+ H5 }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 u7 Q9 B' w3 ]# \9 G% w; u: q *(esp->4+4)=='NTIC'* q, G$ W9 {: {- U2 {9 R# H4 X) ?% {+ P
9 Q2 N* k6 f" D. l& N$ e
-The most exotic ones (could be very slooooow :-(3 M( }6 v8 n3 C( X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. r/ s5 V! K- ~) H ;will break 3 times :-(" b1 E9 N. ^( W5 l' l
5 ?, J1 a( e& |; I( w-or (a bit) faster:
7 i6 ~/ r/ k6 v8 U1 M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 s }8 m3 R: r( t6 {
% T4 L& g- @6 R) K5 |" o8 y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 a, Q# T* z% G" k r% m8 o4 E
;will break 3 times :-(
' k( [5 E; y+ J7 V
* D. b% G: y4 I4 j' b9 P" G-Much faster:; E4 f8 p% o: v+ J- K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 E" g- I' z9 W1 t4 h6 a/ R$ M: Z* o4 m, f1 M/ q% ]: M& K9 k7 a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# `* {1 D7 ?8 Q3 H- h8 pfunction to do the same job:- u) V* I) }5 M: H+ K$ b
3 x5 k0 X/ B0 Z- I
push 00 ; OF_READ
( Q. @$ h5 \- A1 y; k; { mov eax,[00656634] ; '\\.\SICE',0
7 n5 [ Z- O5 c7 v3 F" } push eax
% s: k& K7 z0 F( M* ]# G& R% y; k call KERNEL32!_lopen: N5 w1 Q- |& Y: C
inc eax
$ t. y# ]; ]0 z' r1 o8 z7 a jnz 00650589 ; detected. E$ E& j8 S4 D" c9 p
push 00 ; OF_READ. |3 X! Z; t* F% B" }# e
mov eax,[00656638] ; '\\.\SICE'
9 e& q% \: B% R' K& A3 }6 P push eax# L7 S6 [; [$ d- H. t
call KERNEL32!_lopen
5 p5 f4 q" p: w+ i$ w9 l inc eax
" L# k* A1 l( k, ] jz 006505ae ; not detected H- |7 r( I$ b$ C% m; ^/ ^8 j: H
4 S6 e. f5 c( J7 ~9 ?. M" s. ^3 f* ]+ I, {, o g" g
__________________________________________________________________________
; o! i8 Z- W3 Z8 C
+ w3 F: F' W( v) |" l3 SMethod 122 l, n+ t* L5 ~3 m- R
=========
0 g: H2 a8 R: E6 J$ Y
2 L$ w5 r" G* h3 d$ T) {This trick is similar to int41h/4fh Debugger installation check (code 05
& z+ O9 n0 T9 u. b' n& 06) but very limited because it's only available for Win95/98 (not NT)7 Z6 T, B( I; C- k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 V4 G: z# L/ x& n1 W
+ P3 [* W% x3 C# J+ ` push 0000004fh ; function 4fh# I* ]: J0 }- `/ p7 [$ P, A0 P
push 002a002ah ; high word specifies which VxD (VWIN32)
9 a$ K) T- e* j ; low word specifies which service! A5 x! N0 ]/ g7 Y( [
(VWIN32_Int41Dispatch)/ n' T: u& ~2 X) u u+ X I0 b; H
call Kernel32!ORD_001 ; VxdCall8 V0 F8 x/ T6 u! F' G
cmp ax, 0f386h ; magic number returned by system debuggers
* k& e( Q5 P6 w jz SoftICE_detected
# Q1 d: K' |1 [9 Z( I1 [* h1 A, k0 p0 y6 f8 o# T
Here again, several ways to detect it:
( ^) ~7 h, r! V3 l
: P7 [3 P' @1 A9 C3 j+ w+ [1 ]$ o BPINT 41 if ax==4f
* ?* j. F: d2 d8 n. U; r6 @; c( m+ O6 }( Z- {! ?2 e% y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 z& c# t: ^/ _0 j* s; |+ S
; S# I P( ^. [& \# R! u0 Y y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* ~# C- O+ T1 i% X1 t1 l! q5 {
7 C0 B/ j' g. D) p) `! R) a6 B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 [3 k$ t% A2 ]" g; C9 o) v+ t/ _1 G2 ~# I
__________________________________________________________________________
. W1 ^, i: l: b8 p p9 L f+ h: `. q0 a- b8 |
Method 13 ~# w- Y; @1 [. z" Z
=========
1 a8 V5 m0 K1 q! V# z3 M' H$ u3 y9 z7 b) B
Not a real method of detection, but a good way to know if SoftICE is
* i) i, J/ n! {+ L1 B7 ainstalled on a computer and to locate its installation directory.
8 z7 s, H. h5 f/ AIt is used by few softs which access the following registry keys (usually #2) :
# x4 L \& v- H6 g0 v7 ~ {0 r# Q2 p' `/ v5 G& k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! ]$ B- Q `0 V; k2 Z" I' I
\Uninstall\SoftICE% Q5 B$ n0 @/ o- Q }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 O) l; s( L4 Z1 O- Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 [- P* ?3 t" [9 ^4 ?8 M! [\App Paths\Loader32.Exe: g. g" b* ?6 O, a- R) A5 a
3 q3 q0 ]3 ] a! ]. C& v$ V, }6 W
4 n$ E/ @, I: b/ w9 U- QNote that some nasty apps could then erase all files from SoftICE directory
! s& |7 _* \/ k6 i" o(I faced that once :-(% f: r, _) t8 y; U/ w7 B! X
1 L! p* B) {. j' ^8 M$ R' i& iUseful breakpoint to detect it:
; v( |. T! g) Q3 p. I
! D% Z* e5 g8 B5 u- G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 ]: c* ?& w' _8 W
! O4 j2 Z& s* P4 g: E) J8 P__________________________________________________________________________* B1 C, h4 ~) s, A4 J
0 c' }, A# C! ]8 }
7 h1 o* u$ \4 o
Method 14 6 T2 \1 G; B) T& R: Y9 f5 u1 F
=========4 |8 @, U- C0 Q, c8 D: t
x8 J# K- O( V8 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: |: l% T1 Q% n4 O
is to determines whether a debugger is running on your system (ring0 only)./ O& {: a' g/ {4 `
. o K& k/ T# L# c! o VMMCall Test_Debug_Installed% ^& y$ i f" d+ R* e
je not_installed5 I5 M( B/ f" ~+ Y9 q
+ b( U* N/ b* I+ ~' w/ RThis service just checks a flag.
, ~4 E# F: }- f5 P# Q* @ f2 h. b</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡