<TABLE width=500>
# }- T+ f1 n9 M# M% s<TBODY>) A0 B; V* G* A5 k8 @/ J
<TR>
/ \7 F) r$ z* C: [<TD><PRE>Method 01 e7 w/ N7 f, R2 s: r
=========
. P0 @4 S+ S( c* S. E8 ?. c! R- y6 ~# Z3 O5 M
This method of detection of SoftICE (as well as the following one) is7 k" ~3 A8 p1 I; ]
used by the majority of packers/encryptors found on Internet.( r- k5 S, x# ^! J$ O
It seeks the signature of BoundsChecker in SoftICE6 {3 F* R4 [) y0 y$ S( ?8 X- j* F
. j2 ^+ n% s, j$ t" Y& Y
mov ebp, 04243484Bh ; 'BCHK' z3 J1 C+ K: ~) H
mov ax, 04h
5 D U6 R2 [+ i. [' }, `, \$ D2 j! N int 3 ' F' p! K) n; N
cmp al,44 A4 l9 N M+ x9 n
jnz SoftICE_Detected8 y- |5 z0 r- O } u9 ?
1 b% b) G3 I2 }& `___________________________________________________________________________* v) |- [) p4 V3 J2 n2 H, } \0 I
' O p1 n% h6 e- h5 ]Method 02+ M$ C/ t1 b& \' m
=========0 z, q' P' D' H8 v
. s; A) s8 u( Q lStill a method very much used (perhaps the most frequent one). It is used" \# Q9 }) O5 o6 @/ X( H( M$ q( d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; r5 `8 {0 D* f8 J/ E$ O3 [or execute SoftICE commands...
( [9 Y6 E- D4 h, _) ]" pIt is also used to crash SoftICE and to force it to execute any commands% S% `# \& Y# ]5 ?4 u5 M
(HBOOT...) :-(( & I8 C5 C3 Z6 O/ A$ i% C: S5 X# }: }
: s b r$ |# \
Here is a quick description:
% o' w7 S" f7 z# C* @5 ]& j-AX = 0910h (Display string in SIce windows)
; X5 ?/ m' K; `- I' e2 f# e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): e# o" O! {( t: {6 D S
-AX = 0912h (Get breakpoint infos)% @/ k; G6 D$ C6 k. q1 X* P, I
-AX = 0913h (Set Sice breakpoints)
' {1 V' |! `4 T7 z-AX = 0914h (Remove SIce breakoints)9 f7 `4 Z0 @1 i* w
* ?6 m: V6 ~# d, XEach time you'll meet this trick, you'll see:- x" N. ]' D5 W% I
-SI = 4647h
7 T# N1 z! ?/ @/ A" ]-DI = 4A4Dh
# E# e& X3 A. L6 y, }Which are the 'magic values' used by SoftIce.
/ L- s& F+ c5 B1 eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, o& C' }& K% c7 Z# g/ z7 ]! a ]9 ]
% k& s; p0 ]! w2 HHere is one example from the file "Haspinst.exe" which is the dongle HASP
X* X8 Y! K0 |" mEnvelope utility use to protect DOS applications:2 M; R( O: o$ v/ T
5 {& s6 r1 M8 Y9 a8 i! e
* I5 z, b9 X' Q4C19:0095 MOV AX,0911 ; execute command.4 N2 Y& m% C4 [+ }0 o( G2 E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." C# L/ f1 _+ y6 D
4C19:009A MOV SI,4647 ; 1st magic value.7 ^( T$ l1 d; w
4C19:009D MOV DI,4A4D ; 2nd magic value.
- U' |1 K/ S: Y/ ~, G8 a4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 c K( T; s; p4 F7 p5 a/ l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' F9 O6 |% R, [1 ?1 v
4C19:00A4 INC CX
7 |" ]. S6 E& ^: ? _* o$ |4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 {/ h4 g( t4 R l" M* T7 L4C19:00A8 JB 0095 ; 6 different commands.8 {, U) K0 x' k7 K8 ^: q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 ~) }+ @/ g3 g3 o/ C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* I- d' ^; ?' g% j2 V0 P4 A7 q% v( C" d
5 o% s0 u; `9 K; U( QThe program will execute 6 different SIce commands located at ds:dx, which
1 e3 z/ t& Z: }5 Uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' p" H; M# N1 L1 P1 Z
" j$ `/ E8 j1 Y3 u q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 `* x3 E! q3 L6 p$ l___________________________________________________________________________! x- b# ]6 }6 N9 m; @/ b$ i8 a3 G
6 q- ]- k: m$ L3 D1 e
) L7 x+ X6 o1 ?6 X7 ?, J
Method 03- q: B$ P$ G. [2 D5 |
=========1 B& }3 `2 H" l% f$ u
+ L# N$ k. W- p2 _
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* g T% K4 a4 G9 v
(API Get entry point)8 R9 M* E6 M D4 ~& h0 s
* N* D4 B+ X( ~2 D& M' a3 N* q1 \- H: c W- ~9 `* D0 l: M7 j) \; k
xor di,di
( D- A+ c5 T6 {/ x' { mov es,di( t0 ~! n7 I* T5 `8 h4 M: G
mov ax, 1684h
7 J8 @; H: [# S8 F- e% B4 D mov bx, 0202h ; VxD ID of winice C: h% W) y$ e2 j6 Q+ f
int 2Fh( j% l& _1 d |- S& \4 @8 d
mov ax, es ; ES:DI -> VxD API entry point
) x! V" s c% F1 k/ T# S! K add ax, di2 @8 ~4 s; m. L j# Y
test ax,ax
0 S0 {4 }1 I7 h. @1 @; h* \ jnz SoftICE_Detected
3 ^7 E( y" n4 {4 r x! C- E3 K- O
___________________________________________________________________________
+ i% Z; V, R0 m7 }0 g& @! J9 p% ]9 r% A! o. M$ c) N
Method 04
+ I) o2 O& z3 Z+ W=========& g+ n1 U% O. g6 B; e8 w: m
2 C s* i4 S U& w& ]) A0 RMethod identical to the preceding one except that it seeks the ID of SoftICE- l! R! D' k# n, m- W4 C- I& k
GFX VxD.
" o3 P! U+ l/ c! C6 s5 {: v. k7 t$ @) V5 S a
xor di,di
. _( v: F5 m! j C) u& G0 ` mov es,di
2 m0 |5 m$ _1 l1 A6 R: Q mov ax, 1684h
8 n5 }6 e8 {; F mov bx, 7a5Fh ; VxD ID of SIWVID
" m) q& g2 c* z! A! f; l int 2fh
8 a& ^0 L! S4 z6 i/ Z$ ? b mov ax, es ; ES:DI -> VxD API entry point# A8 g9 o( j; A2 B* N& K9 E* i3 }
add ax, di# @% D8 l: x& F. ]7 l A% ]
test ax,ax
6 Z% C x* Y0 E' }2 ? u. a jnz SoftICE_Detected1 _# z! E U! ]
" T0 x, R) O: e+ T: b' y( w
__________________________________________________________________________
/ C, q6 r) G$ x) g
8 S4 `' [5 k8 x& b! k1 o3 Q h7 o- ^, ^& u' b
Method 05
4 W0 @- X/ Z6 g8 u6 C+ m=========% X8 S2 ^1 e3 w _
: A4 U3 a/ A& n# {; n3 N! [- jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. [( C) Z0 q9 M$ @7 }. Q4 Bdebugger. It calls the int 41h, function 4Fh.
# N; `' z% f( H4 k+ F5 JThere are several alternatives. 3 w: I4 K$ {0 e8 d9 K- O/ G, V ~
" x+ h; M' P! o' wThe following one is the simplest:0 \- {2 ?% V, Y( k
2 [1 `/ B4 \: ?0 L3 M, g; Y mov ax,4fh) ~" f" a( c3 t. o% O# ^0 n$ G
int 41h
) n; ~4 R; b+ x9 `( a cmp ax, 0F386
+ f! _' j$ v( h: f' w# ~8 x jz SoftICE_detected/ r( h& N1 W+ e+ h9 y) V3 t
% x$ I6 h/ m! A* H& i# t0 y
5 [: P1 Y0 N& e; Y2 ^Next method as well as the following one are 2 examples from Stone's
) X9 _# k$ @, X, o4 C8 H- A"stn-wid.zip" (www.cracking.net):
8 g% k1 v$ C: q2 J" |' Y; m! Y& U4 s
' g8 k& h0 _$ s+ ]) T4 a4 \% @4 X mov bx, cs" d) c; B. q+ C) L4 W5 o$ T
lea dx, int41handler2
. d1 F5 K0 j' ?) L! \5 V xchg dx, es:[41h*4]
$ j1 p0 _8 j/ N7 `; `8 E9 I xchg bx, es:[41h*4+2]
5 @7 e& m9 ]" R mov ax,4fh3 [: l8 |, u6 [+ [6 |$ x
int 41h% R$ Q0 g* Y; V; S
xchg dx, es:[41h*4]
5 q% E! Y2 V3 x. i5 j a xchg bx, es:[41h*4+2]
' X& s, `, ?* _5 d I cmp ax, 0f386h, h: g' {% Y& _7 u0 O# g* C* Q7 o
jz SoftICE_detected
0 H$ c$ I, d/ r+ {5 _' i" {" u& f3 B! t; e
int41handler2 PROC) v% |3 a5 P) I7 v" T
iret
4 z+ z: S# Q) F. p" Rint41handler2 ENDP
8 W* P( @3 r& l0 x
3 z+ |/ z( V5 X
( b1 m8 r4 K# q9 R( y8 `( o_________________________________________________________________________
) k# y- `# U1 h D% Q" D; D) T) _6 l$ d8 W5 A; o
4 p& Q4 {! g, k1 b! I/ ]& L
Method 061 A: Q+ C t- C. `5 |3 S2 N! m
=========( m( `1 ?% M' T7 M! ^( W
8 U3 k# G+ x: I( q( X# L
/ w1 o' q9 s% b; p8 p2nd method similar to the preceding one but more difficult to detect:
: T" S- f% s' w6 h, q
! f( j# ]. j$ E6 A
( y9 {2 U! P3 m: W8 A$ }1 _int41handler PROC
5 a" X/ {4 p ~ [/ B/ a1 X8 G) d mov cl,al8 H3 H# }) r6 F( z2 O' G7 L* s
iret, s' i$ I6 W1 ?' h. c
int41handler ENDP
8 j3 f$ v) K/ q/ t$ E4 w
2 {: h& u7 W& V' H+ A2 T+ m% W8 K" I
xor ax,ax
]& d& P+ l, o mov es,ax n5 e7 @% b( L. ]" g: y' z
mov bx, cs
2 y% @( d+ e9 d! s% r4 ~6 M lea dx, int41handler
$ J, s, J" i0 \ xchg dx, es:[41h*4]
3 @3 W* D7 x! }7 p, B xchg bx, es:[41h*4+2]
! Y9 ?9 R; K* R# R! W% ?2 B in al, 40h* A# I0 k! _3 T( r- ~
xor cx,cx/ m* o" r( l* e2 T
int 41h
# l: |7 S" F* H+ ^: m8 i9 T- A xchg dx, es:[41h*4]
) n2 l* H5 C, C: A$ l4 D$ Z5 F2 G( ] xchg bx, es:[41h*4+2]; O0 d# B+ l8 k) c
cmp cl,al
5 x9 m `: C7 d jnz SoftICE_detected4 s) I) ]3 X0 K1 Q
; h5 k2 C! D* ?! B5 U0 n3 d
_________________________________________________________________________
$ C, q% c7 f1 W! K: u; Y9 n9 B* z( ]: A5 ?; j
Method 07
/ @8 R( t$ w* y4 {- @8 o% \=========
% s1 h: O( v5 s/ L0 u- k/ o$ T4 I# e% v
Method of detection of the WinICE handler in the int68h (V86)3 \1 |. p/ O1 l( D; d
\" c, e9 h) F1 R9 s
mov ah,43h" ~! l+ Z) e" O5 X, B2 {$ j$ j- _& k
int 68h
( K0 \* @4 R ~, j1 G7 h cmp ax,0F386h6 i4 m+ p) ^2 W' p5 k
jz SoftICE_Detected: O% R! T6 u, r0 O% v1 ]
- P y9 D8 Z/ m$ W' h- P
/ g( M. o% n, @, ^2 \1 a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 t. c8 M* p2 s. S/ h app like this:
2 k6 z! i* j6 {+ N# `7 P# R- A# v: N7 h
BPX exec_int if ax==68
' t# A) L/ S: ^# {) _6 ? (function called is located at byte ptr [ebp+1Dh] and client eip is
; N7 u8 {, [6 j8 n located at [ebp+48h] for 32Bit apps). q: ]4 P K1 D) T1 \
__________________________________________________________________________
" a# v! J6 w9 u. e( Q6 w- P4 \: n/ W
! \6 t0 N: k6 B9 W% ~: Z
- ~1 I. q8 R& o/ B- [' w5 x: W2 x6 ]Method 08' g2 h$ B* W2 g8 ?$ b+ z0 v: w
=========
7 c7 _! {4 h' B- G. i7 j0 Q, z, J: w; H3 o; v* e2 P8 Z6 G: ~/ ~4 |
It is not a method of detection of SoftICE but a possibility to crash the
2 ^. S" T- T; c* [- S* esystem by intercepting int 01h and int 03h and redirecting them to another9 ?% P6 s9 j0 L, A) W
routine.
' Z( M8 L1 C5 Y0 ]0 }3 c LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 H. L- T5 C/ [" H3 d; Sto the new routine to execute (hangs computer...)
0 L5 C) B5 b) o; o" ]0 }0 a! G9 l. L/ J4 n
mov ah, 25h' X9 w5 j- H4 t- g9 w' [
mov al, Int_Number (01h or 03h)/ y) z. t# q# n
mov dx, offset New_Int_Routine
T) m q( V0 a int 21h* T- ?2 s. I d8 b
8 A, _" C/ ~4 Q' c
__________________________________________________________________________+ K! E, Z3 s! I6 K- \# l
: r, B+ b& R1 j$ ~; k. o
Method 09
1 L4 r# Z t8 A7 a% v- n' Q1 j( _+ N' _=========! M- C: X0 Q1 S# v1 f
" X3 k7 F* D- R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 H1 Q, O; g- W8 h% K( q% c
performed in ring0 (VxD or a ring3 app using the VxdCall).. [8 `6 V* n% I9 W6 Z1 B* t
The Get_DDB service is used to determine whether or not a VxD is installed/ Q, w) W5 |8 t
for the specified device and returns a Device Description Block (in ecx) for
+ f3 {; j/ ?. y% b# Tthat device if it is installed.+ G; C" E/ Z# A* d8 C; e
P. |# V; B6 }; Y; Y1 o. X% T
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 M F- z+ I4 J4 O5 L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! b) {: l8 C+ w2 c. A8 L% @2 ] VMMCall Get_DDB8 Y/ G9 g! T( u2 G: W- K) j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; o* i) Q) o. B# T6 d* \+ U( K! e
) }4 X( n' g) Z2 V7 L$ Q/ PNote as well that you can easily detect this method with SoftICE:+ y0 h2 q' `0 Z" R- k7 c- B' O
bpx Get_DDB if ax==0202 || ax==7a5fh
, b0 u8 ]1 |7 X3 A3 x( @8 `/ \4 x0 i& ^5 b& v) @' c
__________________________________________________________________________5 m2 k' [3 b& R
% A, Q4 _& [% OMethod 109 l" y w9 \: c3 T! b
=========6 v! v0 `/ a# E0 }9 {4 S. q
$ k& U# G: Y8 Q `$ x% x) z- ~; v=>Disable or clear breakpoints before using this feature. DO NOT trace with
* O8 y/ i0 W5 i0 f N, A! x( ~ SoftICE while the option is enable!!- y/ t1 v) L( M5 ^& O4 u
: ~+ K2 ?$ u) w8 U8 [. i0 n; @This trick is very efficient:3 `3 Y0 v* C! G
by checking the Debug Registers, you can detect if SoftICE is loaded1 P) d* p+ {& u" R9 T2 E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& f* s& X2 ~& a/ _! d" a! [
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 }4 n0 P1 v& m5 y: \
value (in ring0 only). Values can be manipulated and or changed as well
' ?( C5 Y2 `# V) d+ y(clearing BPMs for instance)0 U f+ s* T2 M7 B
( @2 R& T7 {. ~. E# ~1 \
__________________________________________________________________________
/ V1 p5 K0 `; {) C T9 }
2 m" ~( }2 I6 H+ VMethod 11
, Y0 @ x0 a( N3 F0 ]- N9 F=========
4 w5 L; X+ r& I8 p
2 X; a( k' g5 V1 j1 tThis method is most known as 'MeltICE' because it has been freely distributed
* _1 |$ k3 d, o" x: A, E5 Yvia www.winfiles.com. However it was first used by NuMega people to allow% A5 \6 F' @, ^8 @! F6 O
Symbol Loader to check if SoftICE was active or not (the code is located" ]: | F# h2 }% J1 E% e
inside nmtrans.dll).' Y6 B- S4 d1 _' a
, E8 m4 x3 k7 J2 {
The way it works is very simple:$ ~/ C p+ H3 b5 k8 s a2 e( _) h# M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. @$ z/ b5 ^% ^9 `. V3 J0 M7 x! f/ t
WinNT) with the CreateFileA API.0 I- j& W2 h5 R& e0 z- b
9 |; `1 o- ?# AHere is a sample (checking for 'SICE'):
- F7 K/ c6 z) [$ @( r$ W8 Z; e2 ~1 b$ b6 Q0 ]. x% {% ^
BOOL IsSoftIce95Loaded()
' x3 D& P( N: B1 v6 O{
3 N# b6 r( d/ \: G HANDLE hFile;
u7 E4 @ Y" j ^( r3 G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ d K) i5 S- P& ~6 j; M, ~
FILE_SHARE_READ | FILE_SHARE_WRITE,0 [- M1 p g- i+ x I- L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# O. U ^* L4 \+ J# G5 l
if( hFile != INVALID_HANDLE_VALUE )
/ d; O; B/ m) \- J* M. {+ x2 J; {8 I {
9 X; m- ^% Z" {' K. l2 u3 E CloseHandle(hFile);, Y- C2 z9 t3 D" N3 y
return TRUE;
$ X9 [; A* `1 ^) T& R }
. _+ V) i, u* u2 P5 S return FALSE;+ K4 b1 f, ~3 `, ~# I
}
& f8 Z8 w q7 c4 Y; Y% J: a0 j# `7 l% f- x$ u5 _' R
Although this trick calls the CreateFileA function, don't even expect to be
3 \/ T" q% {4 E1 U, ^able to intercept it by installing a IFS hook: it will not work, no way!0 O: u* F" [1 c2 W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! }! C, T- h0 s$ S: z# ~4 nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 E) n3 h& }- z9 c q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- w! B0 b; E, K) jfield.
. S8 L# [ y& m5 dIn fact, its purpose is not to load/unload VxDs but only to send a B# W/ D1 m5 b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 z. w( v6 H2 k4 |. Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; q& u/ M3 H0 `8 R/ |1 n" V+ {to load/unload a non-dynamically loadable driver such as SoftICE ;-).* j, J! n/ k6 r6 L0 a
If the VxD is loaded, it will always clear eax and the Carry flag to allow' _/ \8 K7 V, _ K
its handle to be opened and then, will be detected.8 l; ` ~/ i3 M0 j
You can check that simply by hooking Winice.exe control proc entry point; A9 T5 Z3 l+ [8 O0 q: v
while running MeltICE.$ m2 N( K! G }4 p! Z# U( }2 u+ a9 `
) v4 l/ `4 G, l; W; ^
' q' f# F. ?2 e0 D2 H% ?5 ^9 u T 00401067: push 00402025 ; \\.\SICE* {- ^ P" N5 N5 B# c2 M
0040106C: call CreateFileA
* U7 Z9 P w) g* \2 X. z 00401071: cmp eax,-001" T u' i0 X6 s; G$ X
00401074: je 004010919 Q9 z2 C( C2 j
7 m* x# U$ P% w' \7 g0 q3 o
g9 o# z! e, \& Y) r! U4 ?1 T5 r: i. Y6 z
There could be hundreds of BPX you could use to detect this trick.
3 F! U) W9 x, Y/ Z( R-The most classical one is:
* F: o0 d1 ~# K6 @+ P7 m- I& m* n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& R% P4 G i5 m$ z$ _# ` *(esp->4+4)=='NTIC'
0 |+ H! M' w1 h' `+ z
1 G! q& M" w9 d; A-The most exotic ones (could be very slooooow :-(' w( d% M. a6 b2 q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! [, p" e, l5 p
;will break 3 times :-(: [4 b$ u0 b/ f1 Z9 r+ B; c
6 h- B1 A" k6 Q" v- w( X, t. g
-or (a bit) faster: 6 f! |& f+ j; a% N: i8 s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# n/ `0 i; b1 Q0 f& U# d
- s) H% ~' A( Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; Y' b2 B4 I8 ~/ V6 j ;will break 3 times :-(+ ~* o) F, {# u* L6 C
- ?4 b6 N7 b% N7 x4 G
-Much faster:
4 d8 `9 y2 n& f1 Y5 E; S5 y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': |) O" | D8 F2 E6 c, A, s( \
# C6 N& J) O# A) t4 E+ E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 @) N( j# h5 g4 z# \function to do the same job:
' {/ ~9 E& c( ]9 L+ v2 p4 P% H- q+ M
push 00 ; OF_READ7 m: a( M* Z8 k% t9 g
mov eax,[00656634] ; '\\.\SICE',0
" N0 E- A8 N2 `4 V. G& ] push eax$ \$ ~2 C" [- l+ c% M) F
call KERNEL32!_lopen
- F& j( G. A; u6 |' C. K/ D inc eax) f! N; k1 c. m. J
jnz 00650589 ; detected$ D! ]# P0 t; B2 `( w6 j, V
push 00 ; OF_READ, \% f& T) m7 y) _
mov eax,[00656638] ; '\\.\SICE'
* t, N; h- }- e' g* P( ~: A) ~ push eax( B* l1 p+ U# A% K* D: t
call KERNEL32!_lopen
$ ^4 p8 G6 N7 s) R; r5 \2 f' R inc eax6 I% X, \, j* k
jz 006505ae ; not detected
' d- e% ~+ ?- r; f: S& C8 I! @
5 }) ?: ]0 N. F9 n1 G
: J9 O/ @4 t3 S7 X. @__________________________________________________________________________1 O* A9 x. ]0 d8 A+ ]- X
B* \' |8 L$ e( ~- T8 h5 z
Method 123 r/ c, R+ U: Z2 S; h& i
=========8 c6 K7 C& {+ N2 s1 y4 q4 [& L& i
; k- T" {* o6 t2 X* H( `8 f
This trick is similar to int41h/4fh Debugger installation check (code 05
! m. Y/ w# A7 @% S# c0 ~- ]$ h& 06) but very limited because it's only available for Win95/98 (not NT)7 _4 y" ^! T: L' C3 U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 S( _3 v3 G. o6 _ _' c; t( O
2 M, ?0 {+ r# Y$ k push 0000004fh ; function 4fh
# p7 I, G- ? o# J1 j* ^ push 002a002ah ; high word specifies which VxD (VWIN32)4 N9 T. ^" G% Q" V
; low word specifies which service
" q; I3 [6 e2 c1 g( b (VWIN32_Int41Dispatch)
{* h3 Z$ N# M call Kernel32!ORD_001 ; VxdCall$ r8 a' K' n* [ Y. W
cmp ax, 0f386h ; magic number returned by system debuggers
$ ~$ }* E& W2 G5 I jz SoftICE_detected/ N) `: n$ G9 E0 X0 f
. b8 r6 N3 l% s9 E
Here again, several ways to detect it:
, F Q% n, g0 P7 R) h. m+ H: \9 w
; A/ _( w) S! p& i1 ~" q BPINT 41 if ax==4f
) v- S. x# f1 H# m3 J! \7 h# d- `) b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: ^0 O! i Z, _2 e6 a$ z$ K; f! Z& e7 Q; V! G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# `4 W2 p. d2 Z5 u. q
0 U- `- w/ I/ y F
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' p5 o# l+ _6 \/ C, H9 `% ~& Y
/ ~7 G9 C4 T8 F
__________________________________________________________________________3 m$ `; {" A* U& L! j
- f9 e2 T% {, U2 Z
Method 13. N% e% t; j! f0 O
=========6 X8 i9 {( R8 O. ~5 U) F) s
9 Z( M( u3 I" n& o7 U5 K6 E+ \Not a real method of detection, but a good way to know if SoftICE is
7 V' h+ ]" _8 p, x( N+ Cinstalled on a computer and to locate its installation directory.- g7 l/ Z) u2 {. w; O- H
It is used by few softs which access the following registry keys (usually #2) :
5 {/ C f; F/ Z/ l
4 h% q8 M3 t0 i, o( F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' o: j8 z5 e+ }: R- n* K3 G
\Uninstall\SoftICE
' V! X' d8 W/ ~$ `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: V; F5 ?+ b4 ?0 w8 B$ w6 J
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* `/ K% n+ j& q; O\App Paths\Loader32.Exe
# t! s, Y) x( g
, Q- q3 v1 U v. i$ i
' ~) g; x* V1 @% w5 g" YNote that some nasty apps could then erase all files from SoftICE directory
1 z/ m9 P4 Z. r) s ?9 ](I faced that once :-(0 Q7 c6 H2 c( B4 M, k) g
, F% j0 V4 B/ J$ Z7 _# e" hUseful breakpoint to detect it:
$ L( c8 e) E- o- ^; N+ n' r! ]4 i( q" o- z5 |( m+ H( U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; {2 M! G y; O
2 I3 R' Y( y6 w5 u* u) B( f__________________________________________________________________________4 V f: s! [1 r
2 _& P0 D1 `9 Y( e; |3 ^) U
& B3 ]+ A8 O' r+ F' b7 J4 @" fMethod 14 + D. o% C* s( O
=========
2 ~5 n* z7 E2 G Y6 i8 ]* u7 n7 z( A! w" K+ ^$ B3 n/ d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 m5 k; ?( a. F) t# j' b+ A
is to determines whether a debugger is running on your system (ring0 only).
: C1 h- [3 x" m8 l
/ C& Z2 r' z2 |, h, y n6 d# A VMMCall Test_Debug_Installed+ P( [' B3 T" e. Y% f9 M! v
je not_installed
. S- {7 ~& _, L7 {' D: B: J9 T
6 X4 F5 c* [" i' G, s/ _$ VThis service just checks a flag.& Z' _/ M' F3 y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡