<TABLE width=500>
7 T5 q$ k9 j2 F4 T<TBODY>
* p; }9 L3 J0 B0 X) h<TR>
$ J, L! K( W! ?<TD><PRE>Method 01
- L# O- R( K/ a* j6 _4 }2 p=========% B+ b+ B+ y2 I9 L" }
' P6 [" f0 W+ s1 F3 D- pThis method of detection of SoftICE (as well as the following one) is5 D' w3 b8 x2 U- {$ [& w' G
used by the majority of packers/encryptors found on Internet.( j0 |" X" x1 }2 V+ @
It seeks the signature of BoundsChecker in SoftICE
0 J+ k. D M4 K0 D- K7 j; m/ p, C8 X% K1 X8 j5 ~2 D' Y
mov ebp, 04243484Bh ; 'BCHK'
4 f7 j3 t$ W" D; {& r9 ? mov ax, 04h
: `6 E% E9 V+ P/ }) ?1 q; u+ I int 3
$ B/ [2 y2 v) R2 G' f cmp al,4
2 o4 v6 f/ O/ E7 I9 b jnz SoftICE_Detected( }! V1 b! J5 m/ l
' U+ Z9 R2 T/ i4 K
___________________________________________________________________________8 S, H& c! b7 [& F! u7 Y* {. q
/ e1 t/ I; Y/ ]0 O& g- @
Method 025 c- u, ]8 | p3 P
=========/ B+ L% S" X( s d' G% p. L
9 X2 d* m' `3 D9 K; c! E; rStill a method very much used (perhaps the most frequent one). It is used( B% |* }% t' N8 w( w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 ?. k5 O7 D% \) t$ a5 m( For execute SoftICE commands...- [* i9 Z( T) l& A. a8 X
It is also used to crash SoftICE and to force it to execute any commands9 S/ D, [3 H4 n ^( v
(HBOOT...) :-(( 5 C( Y6 F7 b! I$ {8 z" [+ m' s
8 K0 h: I$ |9 m: kHere is a quick description:) P$ O/ r! e. F
-AX = 0910h (Display string in SIce windows)( ?& n6 L8 x" S4 @* R# |9 J( h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 z0 G+ J4 Z) O6 Z( z7 |' S-AX = 0912h (Get breakpoint infos)
* k$ G& M. l: c-AX = 0913h (Set Sice breakpoints)
; b) Z/ o- k' P/ u-AX = 0914h (Remove SIce breakoints), K" ~5 t5 t# G8 ?7 L4 \! s& ], [% q
2 |4 i- J: V; v( ~
Each time you'll meet this trick, you'll see:3 ]/ G& n* I# \
-SI = 4647h
+ D# V* d* ^2 G7 m: \6 |0 u( E-DI = 4A4Dh
( ^* _! G E' G! H3 B6 mWhich are the 'magic values' used by SoftIce.: Q) b0 f! y9 ]- b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( q* ]+ V& ^5 R8 v& c p! {+ j7 ]* W$ b* j
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 i7 i9 {" I; m( P
Envelope utility use to protect DOS applications:
& g) N2 a0 S. _% p
' Y+ b2 h1 O( Q5 g4 i
( q0 y+ w' Y) B6 b' u6 a0 c4C19:0095 MOV AX,0911 ; execute command.
. ~* Y2 [/ |( K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., H7 c" u2 c3 m* r+ k8 F8 U: K
4C19:009A MOV SI,4647 ; 1st magic value.! h _" s5 P. x0 d' @
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 Y! E' l7 o2 Z* i7 ?0 i5 _4 O5 F0 W3 K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" f. O- t! m5 d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. D( Y/ E3 N3 f9 y$ f+ d9 |5 s* m4C19:00A4 INC CX% c5 \9 s7 f& A6 h6 @+ W K" \2 T7 t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 I) F8 C4 x# G& X
4C19:00A8 JB 0095 ; 6 different commands.! `# D* B+ t% ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ `) ~& v& J+ f2 L8 p4 L9 P- }4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 q9 b' F6 {5 K4 [
) Q' a) H1 z# F' v
The program will execute 6 different SIce commands located at ds:dx, which
0 Z) O% H) Z: U% @( ]) lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ o/ Y ?# T6 l* g
/ W* e. X3 ?8 g. O- m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; Y0 x3 F- R- G___________________________________________________________________________% c) W5 U3 y ~8 t# g* R2 L" i
$ |# A) Q3 ~& }2 r1 Q1 _% f9 y8 S: D# z( h: U0 w
Method 03
: B: Q( t$ u. ~) Z7 \1 u=========" J! l2 p+ R, ~1 p+ Q+ _! i
. `6 i+ w5 H% ~8 HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 G5 R* x* x5 G% i) Q* ^(API Get entry point)
) L# u% `9 V- s! I & Y: j+ s9 ]$ \" ?+ w0 A4 `
$ ]: o) k8 T" r/ w& w xor di,di
* G. _: a: \; \! y6 t9 E mov es,di
& E& K$ u8 [7 t3 u" |. O4 Z0 r" P mov ax, 1684h / G0 Q, D7 k+ [
mov bx, 0202h ; VxD ID of winice
$ [6 M$ D) v3 v0 Y& W7 x int 2Fh7 y' G1 S% r) l+ `0 z6 ?8 i/ i
mov ax, es ; ES:DI -> VxD API entry point
2 u2 @1 n7 U: c( Y. h) d- y add ax, di
. k* |/ h2 S% `4 [6 Y' s0 ~ test ax,ax
" ^& q' J& {* Z! Q jnz SoftICE_Detected1 X( P) m9 e3 ~
* p8 k7 `( S4 O8 x___________________________________________________________________________
: o/ c, ]! g8 M# p- a
/ l" i9 I+ F; X- q {Method 042 A: e0 M! F a# z2 j0 O
=========
" l2 o# \/ _4 P7 Z" X- m+ ~) [4 g4 y% p
Method identical to the preceding one except that it seeks the ID of SoftICE
$ {: k* T. X( z2 ]GFX VxD.
! r. ` ^7 C: A, M
3 k+ s3 }; y6 h xor di,di
S: H7 Z& N$ [ J% Y5 B mov es,di$ n7 Y" n2 @) g5 d7 y' |! Z
mov ax, 1684h ) H6 w; O3 `2 C m, ]! B: f
mov bx, 7a5Fh ; VxD ID of SIWVID
1 Q' G4 |- {" S. y8 W, x int 2fh
$ s' T- Q- C* u* l1 X mov ax, es ; ES:DI -> VxD API entry point
6 L2 G/ _- G9 g( E/ ]$ X9 S, [ add ax, di
1 D: E' @" B0 Z& I6 {4 E test ax,ax
& v, s3 V& `/ [) h6 u6 d' w jnz SoftICE_Detected2 C" C; W2 o. L6 u4 q$ Y# L5 L" F+ T
$ t7 O0 V9 ?* m5 O! N) g, [__________________________________________________________________________
; _8 f9 l( D6 N- A/ ~1 A2 W% h# g! I$ ?% n+ x
; d5 h, o( l- U; Y5 M) DMethod 05
" J) W0 \6 R4 U+ _7 n1 H=========0 \& i7 P. @* S: L
; u, Y$ e7 Z& PMethod seeking the 'magic number' 0F386h returned (in ax) by all system, g2 D' j+ w S; m N- E; _ A
debugger. It calls the int 41h, function 4Fh. `! q' X+ M; C- E' F
There are several alternatives.
! B* y# e- U2 Z" R$ U+ a, T$ z# Q& a0 s9 V' l
The following one is the simplest:
- w/ j( P. n. D% N1 r+ I$ \4 }' k. Q3 x8 M
mov ax,4fh
2 |( n$ \7 r ] S- [: c2 } int 41h8 {8 b4 D6 M, D
cmp ax, 0F386
3 X( F- }; ?- P) m- G' k$ Q* L jz SoftICE_detected
; D3 e- {" g& J/ x6 P' y+ F5 g; }# ~ v, K0 e- |! S8 j
3 M% X& R4 u0 N" b: C+ C2 g
Next method as well as the following one are 2 examples from Stone's
4 k' ?! t ?8 U1 e3 I"stn-wid.zip" (www.cracking.net):% Y/ Y7 p* g8 E0 O5 ]7 J+ c+ `
* C" T+ b1 [# |9 x mov bx, cs
$ V+ l V% e+ M- D* C3 }9 N lea dx, int41handler2
& W4 _, I/ p$ g0 X( h2 W) H$ M- Y+ j xchg dx, es:[41h*4] T2 e% a5 O6 [) L t& [
xchg bx, es:[41h*4+2]
1 }: ~. p; n$ b. j mov ax,4fh
( k" D/ x1 b% D. \ int 41h
2 p2 }2 c' m2 p, {( G xchg dx, es:[41h*4]
$ [! ~; W: D Y; t- h) T xchg bx, es:[41h*4+2]
4 Q9 f, G$ i+ U( l ~' Q6 g cmp ax, 0f386h
; T" k, J. F" X3 Q jz SoftICE_detected
/ d1 f- l, e: y- M y6 b
, }6 t' R& M2 M1 n$ E7 U X" kint41handler2 PROC
: \) S1 \: }4 E4 K T& L iret9 x6 E- y# g2 Q5 K" Z/ g
int41handler2 ENDP
q6 x& i% m3 Z5 j2 p; h1 i
( o3 l3 Q# | W, z+ j; T$ H* E7 }% x) p: j, H @
_________________________________________________________________________
* l6 l; Q$ P" W5 g( p4 e8 W
9 u3 E* M: } ^$ i0 |3 D6 P
' k7 f1 G( d/ a \- J: `- BMethod 06
1 L. o" r+ r# Q0 f& r% Z=========
0 Y5 A/ u; i. s
- D# `+ ?; ~9 z, [
& b# F, X' f0 ?2nd method similar to the preceding one but more difficult to detect:! l0 p8 A3 U7 Y9 W- u
' M Z( o& ^) W! r: G# D
$ R4 G5 r6 g' X4 m$ A% q! O
int41handler PROC% d4 O9 T' x0 ]) F
mov cl,al
# Y: S/ u+ G5 M( L# Q iret% [6 c1 N I9 c" M' @; V0 }7 ^; k1 w
int41handler ENDP
: D+ w3 C& Y6 ^( L" w: B. R0 q& j7 V
' i" J6 P5 i' y- N9 p1 j4 ? d8 P) \' X7 M# L% q* c' B
xor ax,ax A; B8 ^# q/ Q
mov es,ax
e3 ^" }0 ]/ H# _% w% t. J mov bx, cs2 b9 E' C+ H( H+ s y
lea dx, int41handler J% a9 X( r" K/ F* v4 K
xchg dx, es:[41h*4]4 ]; C! o3 p$ o/ ~2 m
xchg bx, es:[41h*4+2]
) S& _/ } T8 p5 H; e; B O9 z in al, 40h. d- E! O) w2 S6 I% f( z
xor cx,cx
) T( U+ W& X- x) @5 ?7 E int 41h
^8 K# @0 E# Y: f; _. y) M% ^1 a( N xchg dx, es:[41h*4] i8 q7 e$ X6 x& t
xchg bx, es:[41h*4+2]/ _$ Y: d( ]4 U0 `# [+ Y1 F
cmp cl,al
( B9 Z9 t% }' m jnz SoftICE_detected
8 O$ |5 u( J# n3 N: E3 a) H0 f0 f8 @7 Z3 }7 S) D( i
_________________________________________________________________________
. l7 [$ P/ P3 m4 ^7 p5 c! B
6 K( ~" E: t' IMethod 07
: n8 b. o+ y% r! C- \. f" ^=========, y7 ^: }6 S6 T) O1 @( _+ v
( T4 `- s8 U% H1 c9 o8 Z
Method of detection of the WinICE handler in the int68h (V86)
1 Y. e) {' p0 c' D6 M: U+ @5 F: x% Q2 Y6 }, W1 {1 r
mov ah,43h5 E, V; w5 P o; n) {5 g& x* B
int 68h
3 @) ^, a& ]' d5 R2 W& j2 H$ u+ R/ a4 T cmp ax,0F386h
4 m% E* w1 d* F% \ jz SoftICE_Detected
) u9 Y. i3 g! N+ f3 \# r4 ]( w, J5 z( z/ H7 O6 f6 N/ c
7 L: d8 a$ i6 S0 ?8 ~=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: d/ A4 @) `- c9 f$ Y/ S$ J4 R( F app like this:9 f5 D$ m u8 j% l9 L, \6 i
t4 ?( ~0 M4 p9 C BPX exec_int if ax==68$ [8 ~6 b0 T6 Z
(function called is located at byte ptr [ebp+1Dh] and client eip is
5 S# N) {0 o& c1 h7 K located at [ebp+48h] for 32Bit apps)8 d! t( U, i( n g+ r8 X# D7 v( _3 b
__________________________________________________________________________
3 z; u3 J6 p3 N- n& E5 m4 I% w( I- E9 S3 p: W
+ H0 J6 J9 x% D) j
Method 08
% e% b3 q0 P: W P# U5 Y2 x0 B) D=========+ [$ t# s; f) O) v8 s# {/ K2 W
, J% J& j/ U- Q; N# o2 U E
It is not a method of detection of SoftICE but a possibility to crash the
+ Z% H% A" K; X& X1 Csystem by intercepting int 01h and int 03h and redirecting them to another
# ]% B# O. o6 iroutine.8 U' S: h/ |/ m7 K ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! i! d: \! I8 F r$ Nto the new routine to execute (hangs computer...)0 R# Z5 z1 C# Z7 y) v/ C1 D
% X5 Q, `2 ~) \' C3 m
mov ah, 25h2 I0 G* k& G2 j i6 m) G- v3 M
mov al, Int_Number (01h or 03h)
[9 o7 }% \$ |& e. Z mov dx, offset New_Int_Routine
+ c% l4 M+ I* y7 U8 I int 21h
' Z, J3 F I2 n. H* i6 P% h/ N- o) q/ `2 ?: U* L* L
__________________________________________________________________________4 z+ e8 w+ v5 K: ~' r
! O" X! l' g) zMethod 092 ]' K `8 Q0 F) j% W& d
=========
8 T3 V- c! O9 e3 p* T3 s0 t
% \* F! k( S5 Z+ Y8 B5 G4 w, c7 _( o7 sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! _! [$ y! u- V! K, P5 ~7 [+ Qperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ w- k/ e4 J) G* ?( _" YThe Get_DDB service is used to determine whether or not a VxD is installed$ r2 f' i$ X" a) W3 f5 H3 z6 C8 |7 m
for the specified device and returns a Device Description Block (in ecx) for- `; J( D0 R$ g1 J! O0 a
that device if it is installed.
1 T; W6 j2 {' G& w J1 H9 K# l# ^1 D, P
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ |2 f2 H, `' I! x) X( x/ a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); @) l( ?0 G" I0 z+ g
VMMCall Get_DDB' z, J: C" z8 N3 g, m5 B" z: _% V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: C7 E1 s4 I: c! C1 X
7 U2 h* B" L1 @& f
Note as well that you can easily detect this method with SoftICE:
; L9 o! D; K W# a$ E bpx Get_DDB if ax==0202 || ax==7a5fh6 G$ `+ ~0 o! L* r% f& H
. v% y, I$ w+ \7 Z
__________________________________________________________________________
7 p& f, s; y# b7 _
0 r) V" C8 f. I* p5 MMethod 10
/ J. U" ~) e% ]=========
, |, ~6 R' L# ?! y! c3 ]( e/ H9 i
5 O% u( e2 q3 `( Q=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 `9 f) X. h6 E, C6 N SoftICE while the option is enable!!; r% t- {6 {. R% ?" C( b. s+ Y
3 j6 A4 ]; ^& WThis trick is very efficient:
K$ ~; A: A5 a. {' N6 cby checking the Debug Registers, you can detect if SoftICE is loaded
6 r1 p9 M" A0 ~" L4 _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 c3 |; z; q8 |1 h. D
there are some memory breakpoints set (dr0 to dr3) simply by reading their* i4 M- |* ]1 G2 A
value (in ring0 only). Values can be manipulated and or changed as well
. b( T7 @2 D# _8 E9 [5 }( f- l(clearing BPMs for instance)' o. l" W. H5 F8 @
" Y5 \: A" f$ m% W2 F0 R/ g; b9 C" h__________________________________________________________________________8 }# F+ W( t# ^) F$ G3 c
/ P. C' ]8 R5 Y" R; U- ?Method 11
% `# r+ }" [$ l5 u=========
5 }* |8 ^) c6 ^0 B3 H9 L$ i' j% e' I2 l+ C% L% }! e
This method is most known as 'MeltICE' because it has been freely distributed& S8 H1 Z1 e9 S
via www.winfiles.com. However it was first used by NuMega people to allow
+ I y) R' m5 J% i7 v7 ySymbol Loader to check if SoftICE was active or not (the code is located
0 L, h. z3 B+ J% y& zinside nmtrans.dll).
0 e7 O- P1 v: o) _
1 K% F2 w+ W1 ~The way it works is very simple:
9 v" f' X% v& m( |* k% V3 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ \7 g8 C$ C0 k# |) i GWinNT) with the CreateFileA API.
6 ?$ @: f$ H e$ a5 F/ k6 l I! D3 i+ `" V5 v# e
Here is a sample (checking for 'SICE'):/ y! m, O, {% t$ ^$ O3 L+ k/ l
( H0 ~7 J9 L; @) ^% M% C# SBOOL IsSoftIce95Loaded()
: b+ F6 d3 |+ p{
- L+ M7 a- u8 v; W! w! d& n: T" A HANDLE hFile;
7 d+ O/ }/ i" w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ b+ {- Y! V9 O/ Y% p FILE_SHARE_READ | FILE_SHARE_WRITE,7 K2 y( _2 M& a: t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ I2 t/ \' a. f7 N
if( hFile != INVALID_HANDLE_VALUE )) R6 S+ {" e# @; S
{
1 N% Q9 O) t4 ?) Z- l9 X CloseHandle(hFile);8 C3 m; B. D) U4 _
return TRUE;
( J! }7 p6 P: ^4 t; W9 a" Y% a }" o' u) U' d' @2 U, ]+ i+ q' K
return FALSE;
: A j& ^9 a( b6 R& r& b}
$ \+ m0 @3 n4 s( A; w; ~% M$ h/ z {0 C. O
Although this trick calls the CreateFileA function, don't even expect to be
/ }( W9 v% x3 _able to intercept it by installing a IFS hook: it will not work, no way!, r* A; G2 P& u- ]1 M" X# M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( t7 R2 K) e5 B" O0 |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, R* \, ^/ x7 E9 Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 m7 C# j6 {8 o; u2 `field.
* [9 t- V' v0 g# T& h8 UIn fact, its purpose is not to load/unload VxDs but only to send a
9 Q0 o$ |2 O a! a3 }% WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! ^9 n$ v5 D, A0 [2 u( p! J. V9 Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ `* T2 y O- F1 \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ v8 u. j' _1 {
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 k1 \4 I( r: e
its handle to be opened and then, will be detected.
1 S; d" K" T x) U F' Y+ w8 ]. gYou can check that simply by hooking Winice.exe control proc entry point0 P% c% D0 g' ^, g9 _" h
while running MeltICE.
( B3 F& i. I3 {. G( P1 y2 y% ~6 Q, s$ {/ Z
1 {7 C/ X% k8 Q6 w! B 00401067: push 00402025 ; \\.\SICE) V2 l1 t) g w V8 A% U
0040106C: call CreateFileA, I) J6 q3 j6 R8 H) r
00401071: cmp eax,-001
$ r, V. v3 o& i: W9 G3 G$ ~ 00401074: je 00401091' N* h5 W' e, N J7 \. ~% _
% W. D; t1 M6 F2 Y) K
0 q; {8 v$ F5 ^9 N
There could be hundreds of BPX you could use to detect this trick.
: [( G' ~7 C W: q w7 Q, @8 k-The most classical one is:$ ~& y+ a! @8 Q- G! T! L) ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; ]$ \4 G! Z4 @0 R& `) D9 o
*(esp->4+4)=='NTIC'- j5 ^$ Z. `$ Y" ^
. \2 j# v7 `2 z0 d& q W5 ?3 _-The most exotic ones (could be very slooooow :-(
8 d7 Q+ M. Y* ?; X$ G% ~6 u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' k) D0 m4 i, R. @$ A' h- k
;will break 3 times :-(! w+ ]3 n1 k1 K$ J# P# W- b) p- J
& R, W! p. z* p# K- N-or (a bit) faster:
6 H' o, t: r& q7 q/ \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 W. M6 G8 B7 {8 [% t
5 i) d9 ]5 l$ e4 @5 {1 W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 {( X% x8 D9 G& ?8 X
;will break 3 times :-(
# X) ~3 |! o. N( J. _ y. _
, U4 o; d8 M# F$ ~$ ]' Z1 C-Much faster:
6 y ?& J7 L' S: [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 a6 q2 \0 _0 ^6 d& E
! L6 z- A2 ^1 DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; F3 M1 R9 K* g2 V3 v9 R
function to do the same job:8 v7 l! k' w! h3 q
3 g* f) H9 T. ` R" W push 00 ; OF_READ: A$ z. z+ N$ D1 C3 c
mov eax,[00656634] ; '\\.\SICE',08 J$ ?) m9 Z2 z& ` y, k7 H& |: z
push eax" @% T! R. m" r0 G
call KERNEL32!_lopen! t: w& V+ F+ f. w1 t5 v/ c
inc eax
7 D7 }( N, M4 e' K, f1 T jnz 00650589 ; detected% A0 r& Z) T. q
push 00 ; OF_READ
' a' k4 {& M% L# A0 |6 R* [ mov eax,[00656638] ; '\\.\SICE'7 J+ o+ ?6 c/ p5 {- T
push eax- k. f9 H% b3 Z3 l- h7 _ f; p1 [+ r
call KERNEL32!_lopen* b7 C# T$ g( Q- B: h
inc eax
: _" h/ J$ p6 i/ X. o5 u jz 006505ae ; not detected4 S% V& r. z$ q% \- J' w
( F! o# B+ ?" z1 R* o. @" M: i9 |: [
__________________________________________________________________________* i) Y! G$ X! _9 X, j7 n: Y2 m
6 c, P8 m" W ?* {9 F! I6 y
Method 12
% d4 |% o. T! |4 W' k' `=========$ D* u" I7 p. ?. l$ e% e- s {
% D4 @. e& P- ~, Y* }This trick is similar to int41h/4fh Debugger installation check (code 05- {# i8 k; ^- a o8 y1 Q/ z
& 06) but very limited because it's only available for Win95/98 (not NT)
+ T. J2 ^/ T: S: ]) Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% [( U9 \7 p0 X" ?8 [" U3 s- D" l8 p6 l1 U0 M* L9 M4 d
push 0000004fh ; function 4fh5 O. A+ l" G+ w- ]! ]6 W
push 002a002ah ; high word specifies which VxD (VWIN32) c% u1 n" w7 o1 h9 I
; low word specifies which service) ]2 }2 | [8 `: k
(VWIN32_Int41Dispatch)
1 @' [0 l7 W* C' w& B [( F: m call Kernel32!ORD_001 ; VxdCall
$ H' w) x7 ^$ M6 m) L cmp ax, 0f386h ; magic number returned by system debuggers6 x! @5 E& r- a: A4 m
jz SoftICE_detected3 d" j. u! z. t9 V8 ^$ _
) M' E! v% E+ `" X0 g3 j
Here again, several ways to detect it:
* [8 x7 \; S* Z2 W. S+ f
8 r6 F; d, }" A& A1 u BPINT 41 if ax==4f' n1 K4 C% j. a7 b7 m2 g# X' K
1 n5 }6 g7 G- [. R4 D) U; q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 B5 x, w2 s- M4 q: H8 d0 o! h' {3 q6 q9 k( H) ]! P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( P2 j5 {- D. V0 H, h
9 e9 L5 s. Z% `" D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. a1 u9 m5 V/ F# m: x" y: u0 z, j; L+ ?6 y
__________________________________________________________________________+ C- W2 d- e, ]
5 |" F/ B5 V; G1 P. d- b$ X' l) o/ F
Method 13+ B* b8 q, z/ ^7 b; _7 F/ e
=========
3 i6 Z) c- d4 u4 y" P6 l4 O0 I* K; K, Z
Not a real method of detection, but a good way to know if SoftICE is
& x$ t+ M: A8 J/ u/ a1 h; Jinstalled on a computer and to locate its installation directory.+ {0 [1 d8 }, Y# Q
It is used by few softs which access the following registry keys (usually #2) :
" C, d* i4 [- }: S
3 i4 C7 ~1 }0 e! n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. L/ A0 ` E8 W$ i! n1 u! h
\Uninstall\SoftICE
) M- B$ S: b& i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 Z1 S0 ?" r( `& T0 c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 H: T8 ~7 J6 A/ m\App Paths\Loader32.Exe5 p, W4 Q" ]% b! Z/ ]
2 F5 w" I) V# d
$ j; j$ f( {+ b/ ]: \Note that some nasty apps could then erase all files from SoftICE directory! U2 g$ v3 z; L$ e4 k+ @
(I faced that once :-(: G. Z) [( c7 A
$ o7 n' J3 C8 Z% l/ ^! R0 w
Useful breakpoint to detect it:
/ y1 I. ~& r4 F2 K/ j3 ?( m4 I$ z. j' l* O1 O8 P5 |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 v3 D6 C# k( q; T6 ?- R! J" [; x" x
_: w U& r8 l7 D& C* R6 l2 \__________________________________________________________________________
6 K) P& y: a% W' ~1 ~) c4 c- ]6 r0 H" E
+ T$ K* J& K8 R% O- p% {
6 _$ [- [. `' r8 IMethod 14 + {$ d- w3 f- `& c4 j/ b
=========3 ]0 k) x( \6 A- j) \( B1 t
7 ?9 @! g7 x% @2 a& i2 EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. t/ y; b- g3 ?. ris to determines whether a debugger is running on your system (ring0 only).* J! ]! R# E/ C7 e+ Y
/ m p2 H% [3 M& o VMMCall Test_Debug_Installed
: _, o) A7 b; T' S je not_installed
/ Y. o% j# | t O8 T* X5 j/ [0 i+ Y- \& v$ X0 m4 G0 `2 S6 V
This service just checks a flag.
* ^; s3 ]$ L& F# ^ ~" n7 u' T6 \</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡