<TABLE width=500>' _9 D* x' i; g0 a
<TBODY>
; v3 h$ s/ X8 n' R<TR>
' r4 N6 J$ t1 S7 }; W<TD><PRE>Method 01
8 t: @3 m |* ?6 H6 K$ ^=========
2 z) [0 q# j; ?+ t8 U5 r n& Q- Z6 `; @( D& p3 o) \5 x1 G# p+ ]
This method of detection of SoftICE (as well as the following one) is; u( W! T% ^4 H0 `: V% A
used by the majority of packers/encryptors found on Internet.
' w) x/ q B |4 xIt seeks the signature of BoundsChecker in SoftICE
; d+ ~! S2 Z/ G+ H7 y, ^* ]6 n* o6 L8 m% f4 Y3 c0 r0 I! v$ I. C
mov ebp, 04243484Bh ; 'BCHK'2 ~' [1 z- ?( k( k7 R1 c
mov ax, 04h7 s! ?! S3 N+ ?4 K( F# d+ Q! {
int 3
' T6 ]: v( r# n3 ~( z cmp al,4: J# v X! B: T
jnz SoftICE_Detected
2 g$ H: d$ ~ ~& G; D( p$ t0 }5 l r& d4 O8 V
___________________________________________________________________________
4 \8 t4 T& ?% O6 [% l" Z' d: d+ J$ C+ f' p: b! c" H# n0 i" r. O$ z! k
Method 02
3 y5 ?( Y. E e- s! s& Y=========
6 \+ g* c, P( x5 r8 f; F+ T2 a9 b1 Z7 B9 ]5 O! t
Still a method very much used (perhaps the most frequent one). It is used
8 q5 D; _7 |9 w; [3 H0 Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 J6 R9 h. h# For execute SoftICE commands...
& p6 Y4 q) o0 j8 ?3 fIt is also used to crash SoftICE and to force it to execute any commands
4 P5 V p+ i% |1 h(HBOOT...) :-((
( x: P1 V9 k: H* B! X4 h7 u) t; P* W3 w* [; ]6 W5 m( _/ T
Here is a quick description:
: k2 u$ G7 r! {-AX = 0910h (Display string in SIce windows)
. A% ~0 V" R9 ~: V4 }6 T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( `8 A& p" e5 X" N# T- i-AX = 0912h (Get breakpoint infos)" N9 T( f1 I3 d7 ?& Z4 m' a
-AX = 0913h (Set Sice breakpoints); E4 k" ]3 \$ z
-AX = 0914h (Remove SIce breakoints)
+ B( E" P; z* P0 L0 j8 T& z
( w% w1 @0 ~( yEach time you'll meet this trick, you'll see:
! y5 o+ |" g. W/ q* v-SI = 4647h
. e9 q: }% u2 f4 o1 T- T-DI = 4A4Dh8 ^4 f5 I( e: U
Which are the 'magic values' used by SoftIce.& t3 i! s* c- j9 ]" K. g3 }/ o z6 E
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." W/ H0 X1 a. F. ~
6 M \) S% a- x7 d' o* _+ g. HHere is one example from the file "Haspinst.exe" which is the dongle HASP
# u* \* \0 J; r9 u6 V \Envelope utility use to protect DOS applications:
( c7 m( l9 H% E: A0 F K2 e5 C1 V, I( k5 k& H7 i
$ i+ E' e# W6 K- n
4C19:0095 MOV AX,0911 ; execute command.7 f" ?+ V( I5 p+ M* ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." T- M! N" }3 s0 I9 q" {
4C19:009A MOV SI,4647 ; 1st magic value.* |" V" s% {- l
4C19:009D MOV DI,4A4D ; 2nd magic value." m' a0 y- v$ O' p: ~& A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) u6 H: b0 k# O% W- N4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 y% N$ {$ I' u# V5 X$ c$ c4C19:00A4 INC CX
, z4 A3 Y( d: d* \, X! v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 v& q0 {: @/ H6 s4C19:00A8 JB 0095 ; 6 different commands.; N. X4 V. f% ~" f
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 F- H, V" @' p
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' ]5 j3 q2 B# A: R! H. h
( v2 o: R, h3 {- e- }3 `8 L& ]The program will execute 6 different SIce commands located at ds:dx, which( t$ w( G4 V; Q6 d7 @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! Y3 v* S3 @5 q
# |) `: J q% Q) a# e K* s* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& j* V1 @* T" `1 \9 o
___________________________________________________________________________( R( f& O2 h) W3 V# e
) t/ N9 y$ {. O# O! k& V! F
1 n5 T7 j4 M O7 s* y, v8 bMethod 03
7 C5 E- d5 ]: g: u5 K/ B=========) P% c, K' h1 O3 z' b/ ]
+ M4 [& Y7 O8 f) k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! @3 }6 ~2 C/ X8 l+ F5 m7 z5 k
(API Get entry point): i! ?, q B( g _% _# ~
) ~) M' R. [7 q' E' i+ w
/ ?6 l; ?! b* Y9 { xor di,di
; u: E2 o0 \9 h! R$ q9 h) d9 a- n5 M mov es,di: r4 ~0 N0 ?4 x; K0 y7 O# }$ q
mov ax, 1684h
, E/ a4 |) _, _( _; y. P/ b& r mov bx, 0202h ; VxD ID of winice
9 R+ q4 x& k) y2 B9 j: ` int 2Fh
9 j1 {: H. x; a( M$ F" W% { mov ax, es ; ES:DI -> VxD API entry point' S9 l0 v; l T% z) c+ ]
add ax, di
9 E4 v7 v' I/ ]) {+ J0 b test ax,ax
6 o0 \* a* d& l5 U4 p, K jnz SoftICE_Detected+ F# W2 b4 H( ^) c
9 |; M0 T2 W1 t) A___________________________________________________________________________0 T' M9 [5 l' G* T# C
* O# R+ ]7 a2 e- B
Method 04
# i, R7 M" D' p. A' @; n! {=========* D& |4 \ K) ^# }9 l$ Q
, A4 g. B5 C3 w2 A* ~3 a$ n/ y) L
Method identical to the preceding one except that it seeks the ID of SoftICE
9 F5 s1 \; |& GGFX VxD.0 u4 [7 X; ]; l* M
( C6 W: Y: j; }. S9 Q0 _' J% s xor di,di5 E9 F7 I% `) s0 M, `/ S
mov es,di
4 y0 _ B8 U! |$ S; R mov ax, 1684h
0 W8 l" _+ P. d# F mov bx, 7a5Fh ; VxD ID of SIWVID: j5 S7 o9 x5 C" J$ e+ v
int 2fh4 G! P8 H* S q$ y! m. |+ z! v
mov ax, es ; ES:DI -> VxD API entry point
8 ?& v2 l/ R. Q! v7 x( Q add ax, di7 I T# h2 h1 ]# n
test ax,ax6 M( X5 W6 C, b4 D$ X* w* r" P
jnz SoftICE_Detected& N6 K: L- _; q) m
% T! ]' B" U6 [/ p' ?2 }__________________________________________________________________________
* h( E' Y. Q8 z# U
2 h! v6 V1 F) Y7 w$ F
5 f4 H6 t% o: z; L8 ]* x0 }Method 05
' F6 }2 O' t# m=========0 m& K! ~$ O& h7 V- A7 f
5 r/ e; X1 U |- PMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ ?' ]. R+ \2 e% R) v- B) S. u
debugger. It calls the int 41h, function 4Fh.3 C0 G/ {, ?, t; v( T
There are several alternatives. 5 B, N% i% d/ {) D9 k' Q
8 L1 \# E2 ]1 ^* C; \/ c# r7 Y
The following one is the simplest:, {2 }6 o* ^# ~& n* F1 ?
) d" V _' M0 [0 w- @2 B
mov ax,4fh
" l, O. ^9 Q) n* B" } int 41h0 ?7 |* Q5 T! r% }3 k$ F6 r0 r: A
cmp ax, 0F386- h( J6 G. ^% v* X
jz SoftICE_detected
7 D6 ^, x. G) e7 i8 ~2 x. f, K* O) U6 Z; d0 e/ E0 R# H0 N
7 H0 }+ }& p* b f; x, pNext method as well as the following one are 2 examples from Stone's , z! n( p5 i; C2 o: f
"stn-wid.zip" (www.cracking.net):
1 [7 P% I: Q6 d7 |" z5 j% m" c& r2 J6 v. q7 P F
mov bx, cs
" A2 V4 M- w& X2 x, I lea dx, int41handler21 o" V9 [9 `( G
xchg dx, es:[41h*4]/ H: q1 J1 h4 @: d( w! `
xchg bx, es:[41h*4+2]
3 E. w" p4 W3 K' |+ c! b ]6 x mov ax,4fh. ], J- b/ ]& |: A
int 41h9 ~) K- I- I9 b4 t% B
xchg dx, es:[41h*4]
! t) T" {2 O# c8 @3 J4 Q xchg bx, es:[41h*4+2]
F' n; I& x1 u X- z cmp ax, 0f386h
( a) [: A( z/ E7 }% C$ Q jz SoftICE_detected
9 B# x1 P# s- J% m, Y
8 \5 Z* n! ]3 [6 yint41handler2 PROC6 S( ~2 s3 R, `+ V4 z6 x3 P& p" f& \
iret. e4 n1 [6 G! K l0 T
int41handler2 ENDP- {4 K4 P' C7 ]9 [
% u2 V3 t- v! Z/ \$ G7 ~5 u0 d' ?" i% e8 P/ Y" Z
_________________________________________________________________________
0 i7 n0 K; m4 K, F, N) Y0 ?- V: q8 P
, M" Z, x; I8 t" P: E6 u/ W1 e3 l
Method 06; X' H) {8 u& f
=========
$ \# @; M$ `$ F: h
) I6 q' @! ?% x' a! I" P0 a
4 [2 w5 u; z y! ~5 {2nd method similar to the preceding one but more difficult to detect:, i* Q+ N" V) w3 S! z
# l9 ^( q3 p) I/ {1 }8 l% y
) ]* |5 M3 x# D; ?: rint41handler PROC
: D2 C1 f: ^' U" w( H mov cl,al
* a8 ?- R: r2 I$ h6 }/ t iret2 x" o/ i4 F% E& d+ D5 i7 k
int41handler ENDP8 T# E7 U( K- q* S
3 n; ? k1 t, B% Y
/ I0 l( \, z6 Q l7 \4 `* h1 v/ W
xor ax,ax
; H& o4 C# c# }4 H) H" A mov es,ax
! l+ k' N; Z2 H+ K1 f mov bx, cs
3 ^9 W3 a2 @$ ^ lea dx, int41handler
$ f, E- n2 o, M xchg dx, es:[41h*4]
( _* @+ L' r/ y, c& J. B, E6 n, I, Z1 e xchg bx, es:[41h*4+2]
% e. ^+ I$ u1 V+ e/ X in al, 40h1 O) r% n; l( y: q" `+ h6 P! X
xor cx,cx6 n2 l+ u8 T! q- |" c
int 41h, P, I9 ~, v' b; ?' ?- D7 N% f
xchg dx, es:[41h*4]5 Z$ r: O/ v m) Q* y
xchg bx, es:[41h*4+2]
( A3 b8 D" g! d5 C1 c cmp cl,al* S- ?+ @; n' e0 T- A
jnz SoftICE_detected- N7 F9 n8 {" z1 @8 O
, d3 l) L3 L" l( [_________________________________________________________________________
" _7 ]$ m, @ m; C
9 O" ^( E7 b% b* H; HMethod 07! M: h5 k1 K6 t# d/ b0 n" ?0 p
=========
% C% e" c- w$ r: s6 [( z0 y/ e1 w. |, {$ J! z
Method of detection of the WinICE handler in the int68h (V86)
7 }$ P0 H0 o1 K" N- a% b. S( C* ]4 n
mov ah,43h5 ?8 f8 k( x/ M& L& ^, n3 T# W/ ^# D
int 68h' F3 a$ L) b+ s; P) L
cmp ax,0F386h
% F8 V! w2 v1 n, Z8 x. Z, ~ jz SoftICE_Detected Z! m. S( U6 s. H
6 ?# `' i$ H: {3 o, D2 I/ H% \2 l% q! @$ Y1 _+ _# x
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ B$ I% w+ v* b app like this:
k* i% v3 O6 [: x1 V& |9 y6 F8 T: Z2 Z
BPX exec_int if ax==68
\* E- b/ T# ^& S (function called is located at byte ptr [ebp+1Dh] and client eip is
0 |: x0 \1 u2 K; _: W/ [) R located at [ebp+48h] for 32Bit apps)
' a- u! p4 q# a2 `* v__________________________________________________________________________
& a; A* W& S2 C& v0 \
; t! @+ [1 I) Q5 w6 T; l
8 i. E) A) e. ?+ s3 _# L1 V2 HMethod 08
& b+ {( z; j/ |: n7 W' ] d- R9 G=========
4 B3 B: ?! N% H" b/ {5 d# e. A$ X* ~2 k2 \6 z; j( E
It is not a method of detection of SoftICE but a possibility to crash the8 |7 l# F8 h$ I# R4 z4 ~, T# m
system by intercepting int 01h and int 03h and redirecting them to another! y: F) B0 S$ P8 w4 g- G9 r' ^- c
routine.' \9 J3 o( C. M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# A; r; a- x7 t; T% Q& yto the new routine to execute (hangs computer...)
: @# y+ o4 O8 X6 w9 U" M; b/ k: k5 O7 u
mov ah, 25h) x- k8 I4 Y7 L8 Z, T
mov al, Int_Number (01h or 03h)
" L q1 R( V: S- {% J6 Z1 b% ]( U9 E' ^ mov dx, offset New_Int_Routine9 y% |8 A0 v+ x
int 21h
4 L% a2 Q/ z7 ]3 `0 h8 P1 w1 r7 k. x" X
, w+ s- {, r* F% M0 N__________________________________________________________________________$ U' m! y! q" O7 ]8 y
4 M3 c x8 k; p7 ]8 _' R, g( ZMethod 09
* W, |2 C" w5 u9 C, c" A=========
1 _+ d+ T: V7 T5 l* w/ `- {
' g( E/ U5 g4 i: U( z: cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! D) Q. h. J9 v: e" `
performed in ring0 (VxD or a ring3 app using the VxdCall).
, Z4 {$ a" `( ~/ a' x$ OThe Get_DDB service is used to determine whether or not a VxD is installed
# {$ S; x1 P; y3 k) j( m3 dfor the specified device and returns a Device Description Block (in ecx) for+ M# k: M- D. v3 e, u' \* r5 q
that device if it is installed.1 C0 H, z7 K; t2 e- ]
7 ]0 M$ v+ I6 {: ?) t; ?5 Z0 a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ n4 p5 e; Q G4 K6 E' N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' `% U5 W* I- j0 z" x( p! v2 q- l
VMMCall Get_DDB0 q) `& ], e9 ]: v" v& Z1 M% e N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 I9 p$ N: W0 V0 T; i2 v
2 ?+ b1 O$ B, r7 BNote as well that you can easily detect this method with SoftICE:
5 d2 _' N* M6 p bpx Get_DDB if ax==0202 || ax==7a5fh
' U" h2 v9 ]9 o& p
- B3 `% }$ h8 w__________________________________________________________________________8 C0 x. D% @# s& ~2 H+ q
2 c$ \7 }+ a7 u- P1 K" x# ?Method 106 m# N8 ]7 y4 q ?( {5 }
=========
* w2 G3 G# T1 N; _# T5 ^) |2 |
! ~' f* P% N- f% n4 n& m. K=>Disable or clear breakpoints before using this feature. DO NOT trace with% ?4 b" _+ f3 K _
SoftICE while the option is enable!!
: J+ j' |3 U1 \& ]6 U, p
) Z& l x& l3 x+ k3 K% KThis trick is very efficient:/ l9 e# O4 i. a. Y/ u
by checking the Debug Registers, you can detect if SoftICE is loaded; n$ l0 |8 X; Z# o8 t) O! Y4 |5 q( Z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 F* I: l! a9 m0 o$ e: _there are some memory breakpoints set (dr0 to dr3) simply by reading their( g* z, p7 o y5 h Y
value (in ring0 only). Values can be manipulated and or changed as well: z2 `" l1 {: N1 K
(clearing BPMs for instance)# a/ P3 W6 }3 j0 N& ~( o* [
3 O: j' E2 e3 i__________________________________________________________________________
# N$ W7 j9 \0 V* p( Y2 \0 T2 C/ _& ^7 S1 [" `6 u
Method 119 Z- ?* S# B, ~' q% Z
=========
6 S8 M* w. S' q6 `! U- y: I
) w6 w8 S! W0 Q' B, oThis method is most known as 'MeltICE' because it has been freely distributed
8 t0 j; z/ A! `3 ^* hvia www.winfiles.com. However it was first used by NuMega people to allow, @$ b* n9 B) M8 q& \0 F4 J$ F
Symbol Loader to check if SoftICE was active or not (the code is located$ K5 ?& ?2 _8 t
inside nmtrans.dll).
0 n. L7 ?, M8 Y$ m* T Z7 t4 x m0 y! M, f P! `
The way it works is very simple:& l: o. s. k- y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 `0 k" h6 s- ] V
WinNT) with the CreateFileA API.
6 z" K! Y0 e+ u0 B
9 P" i; m; ]( W# ?6 G" d" F3 }Here is a sample (checking for 'SICE'):
$ H9 }$ T: @9 z* r+ h* p$ B4 N4 s% s& Y& {' p* R( b. Z
BOOL IsSoftIce95Loaded()( Q$ o0 S) h4 n0 g; O
{; K- T% S: I* z7 w' [, U4 N7 M
HANDLE hFile;
& A3 v( t; i9 [# L+ T/ ]: m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: c) I3 ?: v( y' K/ I2 W% |1 B& F3 A9 @ FILE_SHARE_READ | FILE_SHARE_WRITE,2 V9 u5 ~7 a. G+ C
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 k7 i' R2 g' f if( hFile != INVALID_HANDLE_VALUE )- H* W- H6 S- m% o' }
{' s1 \6 s' \" \1 H8 W; B U5 ^
CloseHandle(hFile);9 J2 X( g, a& E
return TRUE;
* w2 o/ f, Q+ {9 \$ @; S }
( Y' v9 P3 ~( U2 `) n, _1 J return FALSE;! ^) ]: p2 J. p; z0 K% i: C
}
Y1 V! B7 D9 l; C& R' V. N6 T' W g8 v! I h1 R% b8 I! z( [
Although this trick calls the CreateFileA function, don't even expect to be
# `0 \2 n" n! x1 t7 E2 ]able to intercept it by installing a IFS hook: it will not work, no way!
) _/ R& a% \* hIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ u$ P2 F8 q1 L7 O0 dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, B3 ~8 m: U; I; `# h, z6 U! oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" B! l; R% U' r& M$ z, ufield." V8 R5 |* @+ o( r( Z7 U7 w
In fact, its purpose is not to load/unload VxDs but only to send a
! d L' I4 Z" ]4 m+ X. a% \( i, p! ?+ nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 D5 Y, Z7 F7 b2 f. U2 s5 r
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# Y; C) o0 o% k6 W. {" hto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 c( F' {/ i6 Y2 n! R, m# {! L
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: x4 w7 W6 `! n' J, g# n3 gits handle to be opened and then, will be detected.
9 {- I8 y1 D( n. T, ]You can check that simply by hooking Winice.exe control proc entry point( F& s I) y1 n6 w$ w
while running MeltICE.$ X5 A5 g. S4 Y
- T+ u9 H0 X$ @& s/ d' j2 E+ M
. C/ L- ?7 r0 Y
00401067: push 00402025 ; \\.\SICE
( ^ _8 |, Y. u4 n; ? 0040106C: call CreateFileA- Q' _" L# q4 U3 {2 J$ ?. U
00401071: cmp eax,-001! p. s7 q5 v$ y( c7 }! P. W& e
00401074: je 00401091
, L+ l, c5 |- K1 F' ?# |
7 Z1 {! A' l; P: d+ u7 |, [& C9 S* ?0 T. \1 q5 P/ W
There could be hundreds of BPX you could use to detect this trick.( p% Z. S+ B. M5 j9 O5 d h/ g y
-The most classical one is:
, B: F2 ^& n- _. r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& Y6 o5 f8 U; S4 Z# @ *(esp->4+4)=='NTIC'
E6 \1 d: c& v3 k8 ^' L. D$ ^4 c7 ]* o$ t6 z7 B
-The most exotic ones (could be very slooooow :-(
3 P1 l5 V( @' J$ v5 y ?" g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , o9 s0 |! A% u
;will break 3 times :-(
" n" L0 e3 h# ~
6 Y V( O$ V D* W$ K# G-or (a bit) faster:
; e2 q/ o3 q$ J, z2 X( Y4 ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 d( P! J. \9 v% T; d7 W% |0 x. e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 T) B8 q) V% t) l ;will break 3 times :-(. K1 A5 }% C0 {8 R
6 g( i; v% }# y# U/ _
-Much faster:
; t) r* [! T2 |8 i+ s: r- z w, D/ B2 C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 ~7 ]- h3 z# t' n4 [% Y9 a. e" p
2 }9 J3 o9 I+ t; O+ u, h0 vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 m6 y5 @) T0 ?" D% [
function to do the same job:! O! }: \( E0 K6 P2 w
5 t( L+ @( Z4 W5 X push 00 ; OF_READ
7 H3 P; O9 c0 \# a mov eax,[00656634] ; '\\.\SICE',0
5 @4 _' D4 @" ` |1 @! L push eax. s! }, D! l9 {* L
call KERNEL32!_lopen
6 m& T6 C1 g" _, }1 @; l% @ inc eax
/ E0 y, W9 r+ u2 V4 o( r jnz 00650589 ; detected5 c9 R2 ~2 {. r3 E# J
push 00 ; OF_READ
; L) w6 c; E k' W4 [4 v6 P+ z mov eax,[00656638] ; '\\.\SICE'' |7 a7 Y9 |$ ~& H! L
push eax
" l* @. X9 {7 ]) b. M3 r call KERNEL32!_lopen# r" v4 N5 S% X& c$ R# c/ ^
inc eax6 @' o/ ?, P. q! N! P$ P) W
jz 006505ae ; not detected( J v5 J7 x1 N2 v: A
6 ?( j! r3 M% _6 y# w6 L) a1 [. E$ ^4 S5 g
__________________________________________________________________________: V, i. a; O- X1 i2 P, u8 l. r* {
' ?# }0 o2 |# \0 N/ f+ S
Method 12) M3 Z; ] ^" ], `- Q; _
=========! o9 p9 d5 k; n4 k+ p
7 F. B1 }1 ?2 a
This trick is similar to int41h/4fh Debugger installation check (code 050 l6 d! u! \3 w8 K$ n; n
& 06) but very limited because it's only available for Win95/98 (not NT)* |& [0 {- V$ p A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 ^7 A8 X. d* Z2 H- p5 g( k
+ ^( J% Q9 r# @! H1 c" h, u
push 0000004fh ; function 4fh9 d. q6 ]5 F% }4 f6 W6 K# `
push 002a002ah ; high word specifies which VxD (VWIN32)
0 J4 F7 ^" \4 D4 g( C2 M1 a1 z ; low word specifies which service
, v. ]' B# @* E4 w' z8 D) p: K (VWIN32_Int41Dispatch)
- r0 n2 \. [7 S call Kernel32!ORD_001 ; VxdCall5 x( }$ T3 ~/ {
cmp ax, 0f386h ; magic number returned by system debuggers
/ q8 \' `2 G* M1 Y- x jz SoftICE_detected
- Z! t7 F1 X' I, Y: k- U9 ]& Z; I7 e' o+ p" V0 R1 k6 B
Here again, several ways to detect it:
' X- t+ {; T) G7 r8 S& ]- a7 |5 i3 X% g! o& R4 q6 n2 V
BPINT 41 if ax==4f* P1 O4 Z5 |4 f6 d) E
) ~0 E) J" x6 p; } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, k6 R! O2 I) q! L5 m: h, x' g2 Z) |) r/ x9 ]+ R4 k& C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ ]* p7 c: I2 u" n' C* M; ~, z# |
/ E1 t# I: o# M! l1 K1 X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 m4 e& ?1 I9 O1 \& c# I, C* Z5 W- O- D2 |8 h) ?) B' E9 X
__________________________________________________________________________1 C+ j& V/ P# m2 b
8 U1 V0 Y2 x1 j7 _, u0 W) u; H! M) n5 DMethod 13
* H1 t2 D1 }" x, l=========
$ l, z% [$ J/ p% S# k4 K3 n& V+ I* Q' \& A5 `3 T
Not a real method of detection, but a good way to know if SoftICE is
! d4 ~4 B; }3 w2 S" d9 pinstalled on a computer and to locate its installation directory.' D' f1 }) P1 p( u. K4 r
It is used by few softs which access the following registry keys (usually #2) :+ }9 P& T& Z& e4 S
) J( n1 g. K: w, ?" _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 ], h0 ~! p0 X5 ]2 p; p6 P1 F\Uninstall\SoftICE
& G' f' _. i+ b1 Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 O: o# D: c6 i6 _7 L) c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' g+ G% o$ I5 y- `6 L: n, ~
\App Paths\Loader32.Exe5 x. }9 U% W s& t
+ g! G- w. [4 P
. u2 H& _+ b6 j9 d9 V3 n& xNote that some nasty apps could then erase all files from SoftICE directory- i# N* O# G; G
(I faced that once :-(
# ]& H9 T6 e& J2 m2 V. K1 c
7 E7 U* x( g; o4 N% ] K$ eUseful breakpoint to detect it:* _/ i# x1 q9 n9 h/ g/ F- ]# O
; [: n; ` E, E: @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! b8 P& k" ^; T% e+ V
: `+ Q' U% t+ B) M3 V$ s
__________________________________________________________________________
4 x4 ^9 q- z, H$ d6 p- z. C3 g4 l* i2 F' `, P2 k/ {
. c: g) A9 [% w; S/ x+ n3 y
Method 14
" W. Z6 ]6 l7 `( i. f! V) K. ^4 y=========* K5 l6 Y$ d4 p; \1 l6 J: n
: F' ]& n, n& R8 h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' ?" R- Y; ?+ V. ]is to determines whether a debugger is running on your system (ring0 only).6 T4 D+ L0 U' V! Y8 q: X, H
- c8 ?, u2 q5 ?* a! m5 D5 g VMMCall Test_Debug_Installed% Q3 M1 A$ m+ X8 B5 I+ ?6 v
je not_installed! Z( x0 }7 @2 _
t6 I+ N4 V" J+ FThis service just checks a flag.% }7 e5 F0 |+ W) J- ~
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡