<TABLE width=500>! g$ ~! G3 L0 ~' A7 h* K
<TBODY>
8 Y( m, g/ @9 Q$ j' U$ w<TR>
5 X: L r9 i6 u2 T+ w0 A# O( m; j<TD><PRE>Method 01 . o6 a: n! |0 h2 ^ M. u
=========2 b; ]% C+ ]! F& |4 K7 m' i
' B) }5 U# y& v# E! n3 t; vThis method of detection of SoftICE (as well as the following one) is! L! }. m, b& ^/ A% T0 h+ V* h4 i8 h
used by the majority of packers/encryptors found on Internet.1 A% W7 c2 g9 y
It seeks the signature of BoundsChecker in SoftICE
: q X8 @! @. ]; a" |' j8 }$ {( @! T6 d
mov ebp, 04243484Bh ; 'BCHK'$ ^( G. T1 `5 x/ C& ]& r
mov ax, 04h
9 k, }1 u8 y7 @# P/ y; k int 3 }- o( o; ?# u4 f
cmp al,4, T- S1 I! s& h" W' X0 U
jnz SoftICE_Detected' r0 U. q* R3 z( c
/ u" f T" Q4 h2 A/ D1 v. p3 R
___________________________________________________________________________
8 G1 ]; s, v. \1 c& |8 Z
2 d8 G8 u9 c! y8 d+ _* RMethod 02( _8 ?. I' K! v/ U
=========
1 h! D( U* h% }% A, p# a4 e3 h$ h) a+ k, ?- s9 h0 d
Still a method very much used (perhaps the most frequent one). It is used
5 Z/ d6 o$ N: J& F7 f2 {: u4 sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' O2 U9 s) N8 @; l0 z# F" |- l$ f6 H U$ }or execute SoftICE commands...
! x# I6 h. P7 J: X$ GIt is also used to crash SoftICE and to force it to execute any commands7 x, L9 Z) j* P. r& B2 K
(HBOOT...) :-((
, V0 B" w" T; \" ?; y' P! j
/ \% Q G8 k( N4 C. d& C, V2 \Here is a quick description:
- Q; O; c, N% l2 [+ m2 ~( s-AX = 0910h (Display string in SIce windows)+ ^7 |3 V9 X' \- `0 T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) r9 N; a9 U, I; O* j-AX = 0912h (Get breakpoint infos)' {& A' C, I* X' i i3 N
-AX = 0913h (Set Sice breakpoints)7 H5 F7 y' a- A9 D% }7 o. T- i
-AX = 0914h (Remove SIce breakoints)- f8 r9 b% q0 l: m G
& h8 y g* w9 l7 W; n* C
Each time you'll meet this trick, you'll see:1 B3 N0 j5 c/ ^8 w9 ?4 v
-SI = 4647h
) s+ T: ~. x K-DI = 4A4Dh6 G2 l/ {+ h1 B) E1 o8 e1 Y3 j6 ~
Which are the 'magic values' used by SoftIce.
7 r9 h1 E }" ^: @* s4 M* vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 o4 B0 A0 I# e4 U9 Y' E
2 [& R/ i+ D* C6 P
Here is one example from the file "Haspinst.exe" which is the dongle HASP: D* B' f/ N; u P) Q) C
Envelope utility use to protect DOS applications:; d3 n; G: j; v9 `
. ~2 D y) v; J1 I( `# r
6 ?$ B# w. |; O) @4C19:0095 MOV AX,0911 ; execute command.
) l4 z0 W2 `- R o8 ^ O9 E% J2 Q7 W% Q, b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 s, w$ L) M9 X9 r) d
4C19:009A MOV SI,4647 ; 1st magic value.
~8 w7 b, z" ~9 \4C19:009D MOV DI,4A4D ; 2nd magic value.
2 Y0 B/ }, ]: F6 a# n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ v4 S% G( N( R: _3 [9 e- v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ W' S0 g' D/ _1 P* h V4C19:00A4 INC CX4 G; k8 S; q! F" ^( t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" ]) `/ z) _; T; W2 T$ R: ^" }4C19:00A8 JB 0095 ; 6 different commands.# I' @( I8 @, {9 m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 K6 K3 W9 [9 a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# R0 T Q9 D5 G! w! z" W7 r. b, t! E
1 F) W: k% t8 X9 r/ Q: e4 ]3 `The program will execute 6 different SIce commands located at ds:dx, which
3 {( W* z& s! _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) h8 m# y* b4 U5 w3 z& L- C, z: Q8 Z6 w
1 B- B/ S2 F% l4 _) r* }4 p+ y e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 [! g, f; v6 k8 k2 g/ e___________________________________________________________________________: q% H4 N- o) U+ G( M5 T j, K/ I
' A- @8 q$ n. D# k9 a
, q) x; L) _+ W2 \Method 03
3 w: H9 G: J7 [, W2 W2 I=========
" |- z$ l3 U; q% j! X. \% ~+ B- F* X& t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 o0 ~$ @1 A d5 P- s
(API Get entry point)- ^ `, d1 z( Q' t) h5 Z
! n/ a; M" l+ C1 }" S' @0 k+ d
1 S& Y) X5 q$ _$ y xor di,di+ P$ O( [6 h v" y# Y9 c9 E$ d* O0 Q
mov es,di
+ i' E/ M/ h0 r* I6 G( p8 X mov ax, 1684h ! i! }, V9 z- }! g- [% S$ l
mov bx, 0202h ; VxD ID of winice2 {; t4 X& Q, f8 t% R
int 2Fh, M4 t1 H, q: U- I9 K9 x, ^( Z
mov ax, es ; ES:DI -> VxD API entry point
& s6 |% }' i( Q. w r* a0 S# p add ax, di
/ Y O3 P/ i; E- J: a test ax,ax
" @; b) C d( I x3 ~ jnz SoftICE_Detected
& ^- w7 C4 X4 P% Q( ]9 t* [/ O
___________________________________________________________________________
% V8 F5 }2 J- y) I4 R5 R
+ L# o2 t* f# e. `+ qMethod 04, F# {7 b! o( E8 Z( j
=========0 F3 ~; P& q6 g. u
1 Y( \' N& J; f) }0 T) D
Method identical to the preceding one except that it seeks the ID of SoftICE2 q7 i- H" b- l+ @0 P
GFX VxD.: v% ]1 h- J4 H6 U. w
5 m' J, s0 v9 D. n" i2 N8 q. k xor di,di, T5 l9 E6 P9 ~7 ^+ p
mov es,di
6 C* |* ~7 ^4 X2 w2 i mov ax, 1684h ( e; I+ F" h1 I( @
mov bx, 7a5Fh ; VxD ID of SIWVID
/ D- M7 `& h. x3 Q1 c int 2fh
/ L7 `2 h4 q: `$ i mov ax, es ; ES:DI -> VxD API entry point* x$ t; x% v/ z2 [2 ?( F, F2 w
add ax, di
; a" s4 ^- V2 U+ T( Q9 r4 E test ax,ax4 ?! A+ A! d$ q
jnz SoftICE_Detected
0 H2 S# L& T0 O: R: r$ l1 f
) G. B% I3 n% k7 G__________________________________________________________________________% V3 f+ I( A( V" Z; x1 ]
; s0 t9 M$ G& R& c" Z9 p5 R3 f
- {: u9 ~3 ?$ \
Method 05+ G0 G0 w: o( W$ P* p J$ H5 m! H
=========, r! N0 G) ~8 F N: m2 t$ p2 o
5 R+ o2 o3 _* h3 ~* b7 q9 O+ V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ R8 r; P7 p0 k w5 A" G( Odebugger. It calls the int 41h, function 4Fh.
: H ^% B& N* @! b# j' aThere are several alternatives.
% D, w) ]2 @7 p+ d$ _4 G( M2 ~* F
The following one is the simplest:, O q6 s& P/ {' x9 _' i& b
: `. d* y+ j0 G8 O8 m4 }! r" u
mov ax,4fh. a/ ~5 {: @5 e) y' r
int 41h) _% I: T) M& `. g: _& B0 J/ J
cmp ax, 0F386) m& Z2 @) R5 v* @% d
jz SoftICE_detected3 z4 k% d2 Q0 k$ O, ]5 f b
; [) Y6 [" ?* y/ E0 A! o' ?
" ^0 u) J- b. INext method as well as the following one are 2 examples from Stone's 6 i9 S G1 R/ \0 H3 R
"stn-wid.zip" (www.cracking.net):2 @5 G" L# h. K+ }, W4 U* T0 p7 m
$ L8 ?, L2 Q+ [: P7 d mov bx, cs, b$ i4 B# l; P8 ~' `
lea dx, int41handler2
: _( L5 [+ ]+ f. D xchg dx, es:[41h*4]
. ]) y8 R1 ^1 ]' S) o xchg bx, es:[41h*4+2]
& R0 z* k4 c) w! a L mov ax,4fh, s& D, P2 x8 n# ?$ N# F: g4 r
int 41h
9 `" X" a( C" Y8 H xchg dx, es:[41h*4]3 p) o5 t1 ^4 s" Z( d
xchg bx, es:[41h*4+2]/ @4 L6 a% ^; B4 ]" A1 ~* Z# w
cmp ax, 0f386h1 f# D/ @" r3 G# }: i" Z( z" S! f6 R
jz SoftICE_detected
- k8 f B: [* b3 [2 \" j7 f$ }) V
, r9 G) R9 Z# m% t$ G+ Dint41handler2 PROC2 }) t" Y) s- |$ c% |
iret" p0 E0 w- j; l! \5 O
int41handler2 ENDP* d# i8 r0 {4 W# l# L8 z+ e
/ L4 f/ J5 w5 n9 o- p' | C* W5 H p& {2 L3 i. [" O- }
_________________________________________________________________________' n$ T+ n P: H8 B: l# H
) G2 U2 C) S4 F, Y! N" [
7 }5 l) g- v. B7 @' a! f9 cMethod 06
! C. x- [8 N7 E5 g6 w: D3 B* z) u=========
' v* e) ]" g3 f
, T( G: P; `" k; O5 T; o& ]) L
, a$ m6 @. L2 v# P- W0 k2nd method similar to the preceding one but more difficult to detect:
/ d" i7 f _4 N5 `- g* R4 l
3 X* M$ ^& M( W* ?
( Q3 ]6 w6 c4 Q. iint41handler PROC+ l& F; r& `$ v5 T2 E5 L% P
mov cl,al
I1 g0 x7 s; d* |/ k2 o iret
* q. k/ i$ Y. k# f3 ~0 ^ E5 lint41handler ENDP" L+ J! ~! ]3 |. n9 ^* y
7 G% a+ ~5 J+ @; r
: U, s% ~7 `/ v' O5 Y xor ax,ax$ a; P" K1 A% Y z- n- e
mov es,ax" d- a; u! w8 U- x; f6 C
mov bx, cs# Q& A9 Z! A& M$ E
lea dx, int41handler6 x; X- _. A/ ^0 S7 r, `& z
xchg dx, es:[41h*4]
+ I- T3 n2 ^+ U S! z- e xchg bx, es:[41h*4+2]
# b8 e5 r% i# o, Q: u, [ in al, 40h
, \6 g8 t( a7 m' O2 h/ ~- } xor cx,cx, e2 v0 q* N! ?, ~6 C- l
int 41h, g0 l) G' |4 K i+ n: Z: M1 ]! m
xchg dx, es:[41h*4]
6 X4 w! M8 h. `4 y& p$ B/ ^ xchg bx, es:[41h*4+2]1 k: u! V5 N1 ^4 u( a! V
cmp cl,al
3 N! W& e9 k5 ?4 p jnz SoftICE_detected
( E( \% i9 R: q4 V& X+ ]6 a" R: e, m/ P' q' z- H, k# M
_________________________________________________________________________2 M, P) ~7 y5 ?; @7 J. L
& X& [* T9 I* K3 I) c9 s) v8 f CMethod 07+ }& B# d& X+ M# R3 l
=========7 |# u, X# F {: J
2 L* w. J& {+ h3 M
Method of detection of the WinICE handler in the int68h (V86)
$ q6 O8 T% |2 {. k: P
1 F% F. ?9 {! B! \) J/ d- G0 M mov ah,43h K9 I8 Y, V# ^$ S& A9 C
int 68h
5 |0 R. f2 k7 x cmp ax,0F386h
& y. A" L1 N# y" d' D jz SoftICE_Detected1 M- j7 z k0 `* d2 q+ k, W" O3 ~! a
$ T# p* ~1 d9 y9 [ e
( c H+ A# {* R8 o% ~=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% k, \3 r' X W app like this:' S( J7 t, r+ J3 |( U
5 ^$ q) a ~% T; x1 c
BPX exec_int if ax==68
9 G( X& G! H+ V3 S$ q6 p (function called is located at byte ptr [ebp+1Dh] and client eip is2 a. I y% w/ p! o% g5 p/ M
located at [ebp+48h] for 32Bit apps); u- c( j U3 v6 L) Z
__________________________________________________________________________
3 G" s, B: j: M8 E1 f
+ i# \# i$ M9 y: Q( J7 J9 l7 C9 {0 |
/ [( \1 c; Y$ uMethod 08; X4 j: ~) c) k3 `6 l
=========" I2 P* H( P# [6 [2 M7 u( B0 B
8 _9 X* A4 O( {0 u1 {6 b& uIt is not a method of detection of SoftICE but a possibility to crash the
* ]# s7 ]+ f$ k1 m, n/ osystem by intercepting int 01h and int 03h and redirecting them to another3 S1 ^* W" y: _8 B! J
routine.3 {' ]7 V: l' M4 `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 F$ H* b( m' u& t
to the new routine to execute (hangs computer...)
' P4 U; J8 u; i2 K& d$ D
; |7 c' y* h4 U mov ah, 25h
, n3 i2 P+ K2 O& X mov al, Int_Number (01h or 03h)
+ t* \7 w5 t' N" Q mov dx, offset New_Int_Routine
# K3 \( K \& J5 ~; f+ B int 21h
5 Y2 B _6 `3 o* m9 E1 x
5 p3 J \& A& J5 J, h__________________________________________________________________________( a8 W2 e) ]" o! N9 D! a
. }% K' Q5 D* |
Method 09
! j3 N4 o+ |% a3 s! ]' X=========) @9 `4 Z! H, `& p U
* P1 M m% M8 p* MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ P. K6 |# M1 x; ~ Pperformed in ring0 (VxD or a ring3 app using the VxdCall). p4 _+ |$ s" _2 t
The Get_DDB service is used to determine whether or not a VxD is installed; T' }7 [. D% p& I: v, B
for the specified device and returns a Device Description Block (in ecx) for6 o8 ]% H' t* t! D& }
that device if it is installed.) Y5 k* p& A' d
2 D: \" P$ Z6 o. Z5 K# K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; D' D/ z1 R7 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% \0 n6 k: R' p
VMMCall Get_DDB
( S% R% u) j' v' j/ `4 O4 D$ v& P1 u mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 D/ h4 X; G0 d
9 z6 N' M+ D6 @6 B4 tNote as well that you can easily detect this method with SoftICE:
0 v4 J& I9 l9 `; l+ i1 H8 c% e bpx Get_DDB if ax==0202 || ax==7a5fh! _& z2 K+ }# y% M4 F2 X
7 c$ T' `( q. G. B* s R f3 }__________________________________________________________________________, E3 _) k3 ]8 G/ k2 Q" u1 @& f
9 ^: Q4 a9 T1 X) l# c7 @% V( r% K7 N
Method 10
/ n4 e# |0 C5 ]3 j3 I) y=========! x4 Q' H! G% W5 F
0 b; {/ C% f2 a$ I! A/ B- h6 c/ c=>Disable or clear breakpoints before using this feature. DO NOT trace with5 F) o1 _, \% j0 o6 n# z3 Y
SoftICE while the option is enable!!; q; f( K( @1 [* N2 S0 i
0 \5 A* C7 q( N# _1 y6 o
This trick is very efficient:/ ] f; y- X$ G' U8 Q6 s" S
by checking the Debug Registers, you can detect if SoftICE is loaded1 k; _$ b8 `+ c" D2 o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: c3 M* @/ i/ C2 H7 w; F) lthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 ~' _! j0 W7 [( u$ }. Y" O; E1 n
value (in ring0 only). Values can be manipulated and or changed as well
% v# A& V% n, o(clearing BPMs for instance)
5 ` l$ b' N9 W, X7 K5 L3 V% Z* u( ]' e+ y, N
__________________________________________________________________________3 r( K0 b; j5 B
( w- ^3 t3 Z4 i4 _Method 11
" x% F$ b1 F9 B% E" A0 N=========
. n4 H1 _& k4 f' ^8 S( I1 S& R/ l, v
This method is most known as 'MeltICE' because it has been freely distributed
+ S4 R$ u& ^" L0 _via www.winfiles.com. However it was first used by NuMega people to allow
# e( h( e& c1 d1 A; _/ _Symbol Loader to check if SoftICE was active or not (the code is located" n7 z, Z1 X R# _. g2 `* Y- r0 j
inside nmtrans.dll)., x$ G8 u1 @- [9 H
+ V9 S% y5 {3 e, q. [2 a8 Y8 Q3 r w
The way it works is very simple:
1 E/ V8 x2 r) U+ f5 W& V# s) RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ |" q3 _' k. f& CWinNT) with the CreateFileA API.
8 e' D- t- f1 e6 W% C
( t. ?- I3 x3 Z. k2 OHere is a sample (checking for 'SICE'):
4 h, n% M* y7 ]- ^* L5 `% u
3 B+ L# H7 F% s1 b5 |1 `9 yBOOL IsSoftIce95Loaded() j8 _! n o8 V: x) z% M
{
* y6 Z# ~1 I K6 b$ b HANDLE hFile;
2 o" N0 O. \. q6 z& i. n- c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 {0 ]) E4 u! }2 l FILE_SHARE_READ | FILE_SHARE_WRITE,' O7 h* z6 L+ f' }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ b! Y8 K% ^* m6 q8 @
if( hFile != INVALID_HANDLE_VALUE )
. k, C* V. f- M( b; K5 Z- Z {
c9 {7 P+ O x& S. B; X CloseHandle(hFile);
9 Y% G% b/ V( W( y return TRUE;
& I4 f5 H# x7 C }! N5 c( A1 B6 O& c
return FALSE;
: _) I- g( ^# M; s0 T+ Y" {& r2 A4 J4 c}
& H5 P( P- i2 A; D& p# U0 f( P) n; b
Although this trick calls the CreateFileA function, don't even expect to be
. \2 q- L* n$ X1 \5 `& Dable to intercept it by installing a IFS hook: it will not work, no way!
6 X4 E/ Y# \+ bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: b) D) K, T! s2 c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- \; ~" r2 [: T c/ ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# |2 n8 T/ `% E3 z S. v; [3 K/ Qfield.' A9 ?0 T$ U. ?0 J4 ?
In fact, its purpose is not to load/unload VxDs but only to send a
n; i8 ]7 `0 L( HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% W: J2 e9 Q$ m6 Y% m N6 t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 D! _4 x- }( q# K$ O3 x! D" vto load/unload a non-dynamically loadable driver such as SoftICE ;-).- \7 h2 Z/ E9 Q; |3 b' ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" k9 b2 g l& c5 }, O4 e; cits handle to be opened and then, will be detected.
- Z% g5 s5 g2 K' l2 l! X5 uYou can check that simply by hooking Winice.exe control proc entry point1 }+ Q: ], R7 b1 a
while running MeltICE.
% e, ~' ]0 @; G0 T; U
% ?6 D6 R; V' i; z6 K4 O& @6 @. s; G/ S0 P$ C' ~6 U1 b) o7 G; K
00401067: push 00402025 ; \\.\SICE
( E5 x# n& A" R" ` t3 d" y. s% B 0040106C: call CreateFileA
8 Y1 v& J `( _- S 00401071: cmp eax,-0017 R* p" p2 \8 q( r2 o
00401074: je 00401091
8 Q3 Q' j/ [/ R, D8 t# N. b9 d
! n0 M" n+ J$ `2 `4 D9 t7 V0 ^$ I" c M% c
There could be hundreds of BPX you could use to detect this trick.
+ D5 z0 _! M* c$ n/ D* p$ @-The most classical one is:
" c1 W% ]( q/ p/ H- r" \( n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 \6 N" W% S# }6 N1 q# w& U9 g
*(esp->4+4)=='NTIC'' L7 n& S4 X" |# N
" Q; E6 [# z8 F8 K-The most exotic ones (could be very slooooow :-(5 I& I4 f: L6 E& d9 C5 ?, {( `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # H6 l& \* Z( C+ G5 E( m' j( B
;will break 3 times :-(9 L/ J' G3 P1 ~* K# x
1 t A. n4 x8 Y' D
-or (a bit) faster:
! C% l: a1 o7 D9 a9 y5 V1 I" W0 W BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ P! g- y7 B5 X, W7 ]
2 v9 [' p. [$ U; @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% U4 \4 a3 m" j$ K ;will break 3 times :-(
, _9 H( `- N; j
3 ^$ N1 s; g* [; i9 }" R* @-Much faster:
& s8 {9 ?* d7 h; b1 Y* @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* @0 t$ v2 v+ y7 k; ?
6 c, e8 X- q8 x, y" Q, u7 G6 xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 E) O+ G+ Q1 s
function to do the same job:8 W Z( m g9 t5 R+ ~
6 a6 G' ]: b( b
push 00 ; OF_READ
4 ?/ D, g' Y+ y, _( d mov eax,[00656634] ; '\\.\SICE',0% ^& C) K% e, j
push eax( _ b" S8 `5 d7 A+ s* E% [+ v- e9 X" s( G
call KERNEL32!_lopen
4 i' J* m* w9 F5 R8 K$ a& N inc eax
4 q* O" ]# u. g jnz 00650589 ; detected% @" o: x1 q/ J
push 00 ; OF_READ: n3 }/ |9 R0 o3 E8 v# O! m
mov eax,[00656638] ; '\\.\SICE'/ [: l2 s/ ?3 M, |
push eax
- K3 T0 t/ R3 Z/ t/ X: k: D# ~ call KERNEL32!_lopen+ n3 _/ ~ V: u1 h) R+ z
inc eax
& ^ w6 _4 [$ W' \; A0 Y6 e# k/ D& I jz 006505ae ; not detected- D1 n% t w3 H$ d* {
! `7 E! X, L; Q7 x! n m
# I/ [6 P( V5 a1 u9 }" u
__________________________________________________________________________9 T, R8 W8 m4 i
7 e* v. Y% b( f& @# P
Method 12/ f* h; \! |* G$ N: W3 L R
=========- B3 V% v, l) K+ f/ H5 X' h
0 p0 m* ^' T3 Z
This trick is similar to int41h/4fh Debugger installation check (code 052 l0 o; N8 H# G9 ]/ ?
& 06) but very limited because it's only available for Win95/98 (not NT)
! b; S e" n/ h0 U5 m' L- b+ Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' f0 @; X& {1 ^0 K
- Q8 }9 Q: H: @) H( h, u2 }8 m push 0000004fh ; function 4fh
6 |2 Z: p6 N, E0 f. I push 002a002ah ; high word specifies which VxD (VWIN32)
. Q' d) a5 c, h% K7 {) x ; low word specifies which service
9 I) r' K7 R- [ (VWIN32_Int41Dispatch)
" v- }! l o& h1 X) V/ e call Kernel32!ORD_001 ; VxdCall
/ `, P, H% K0 M( m4 {9 D cmp ax, 0f386h ; magic number returned by system debuggers X& N3 U1 O( z$ ^' L
jz SoftICE_detected( }; t* Z$ ]( N$ W0 _
% A1 r! c) z: W# Z6 j2 h4 ]
Here again, several ways to detect it:
, }7 q9 \/ h! o L0 H; A* T8 P: @& ~! j& M1 U4 ]; @/ }9 s' k5 B$ [
BPINT 41 if ax==4f# N, }: @% ?" n2 e) O" A f
& K0 g% f8 H+ k) S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 v! v' f5 @, s1 J: t, i, T
( W+ }6 p+ ] w7 h" v6 N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ `* g$ B9 _# v! d+ ]% O
" u) j) V" H' o, t* Z0 [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! t* o( j5 `0 b& p6 C5 F% ~: c
5 s% L- [1 x) U; {4 m, b7 W3 G
__________________________________________________________________________1 |1 c/ y& B O+ P0 k/ K% M0 d
6 _. ?2 ^) i' m I$ D+ w2 q
Method 13 {0 r$ X$ E# B* b; J3 }: q, j
=========
6 b7 @ D, g" {/ F$ K7 g% n
4 I2 L7 Y2 g8 D( i, Q5 C6 wNot a real method of detection, but a good way to know if SoftICE is* ]+ H, D8 q4 ^8 W. K+ _
installed on a computer and to locate its installation directory. l& A' `+ f4 U9 s
It is used by few softs which access the following registry keys (usually #2) :
+ E* M( k+ s9 U; I. g! g+ Q# H2 H3 e/ S/ S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' ]6 \- G* B1 J6 A' [% m) ]\Uninstall\SoftICE4 {5 x9 Q7 G8 T0 M# m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! B6 x6 n+ b1 {7 y% ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 L0 E- V- d! Q4 r9 m/ n\App Paths\Loader32.Exe
2 ?- }! w) @2 a" ^( j- N/ O# Q( @. u* A- S6 F% b5 r' M# C' N* O+ Y1 ]
4 O# ^% H) e8 A8 X5 U+ [7 @7 xNote that some nasty apps could then erase all files from SoftICE directory- h2 z3 B4 s' y
(I faced that once :-(' ]' \; O& o$ O
- e4 d# j7 v) b% I7 [& ]
Useful breakpoint to detect it:! C( {8 h* X' r3 P# J: t
! |/ U. ], q' U {- y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ r# r1 [+ b4 r' y' F+ J9 q
6 `" z; a% U; n5 R
__________________________________________________________________________
% X1 Q: O* R# }
# A1 n1 Y) P: u& S, k( s/ w6 f; D' p' n" `
Method 14
1 o- t9 q3 l9 v \- d=========
& o, k" U/ T& [: i
0 R) k% J5 m# O* ~A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. _0 l& K/ V V6 e$ \( w! P! A
is to determines whether a debugger is running on your system (ring0 only).- I7 }. u" j6 {+ ] n
8 a H! O6 @5 f VMMCall Test_Debug_Installed
k* w1 X& z: W( X3 I, g je not_installed
6 R* Z6 w9 q) _% J
% c0 L2 g7 }7 cThis service just checks a flag.
0 t3 [$ Y2 w6 I* [</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡