<TABLE width=500>
) d5 W% d- q. t" d; [. @<TBODY>1 a' G5 z' k; m% a5 Y9 R; R
<TR>: z, c" p. k2 o& P& `
<TD><PRE>Method 01 ! `( g; o& C/ m: C7 } N. B
=========
$ F- ` v, `( I$ o. N8 ~6 E# Y2 b' I: a% b6 t- i
This method of detection of SoftICE (as well as the following one) is
3 E6 Y2 {+ ^5 i! Rused by the majority of packers/encryptors found on Internet.5 T$ t! F8 G: V7 s: _
It seeks the signature of BoundsChecker in SoftICE( e3 m# y3 [; ?7 |# S3 k
4 ~$ T' D+ j. l1 _" A! X mov ebp, 04243484Bh ; 'BCHK'* L. e/ Z t7 ~! C% Y7 e: q
mov ax, 04h
& Y8 }" S9 x: C: b( R" { int 3
0 Q' m3 f/ L0 P! [6 g cmp al,4
3 O" q, |. L+ U& f jnz SoftICE_Detected
" N g d% N F! A: h3 F) a5 }
1 z/ ~/ W/ g) @1 f( {3 t' x___________________________________________________________________________
/ z0 \# d# `- U
- W+ h( f" F9 r. \( l' qMethod 02
4 M! P/ }- L6 ^8 t- [=========
- L7 o' W [3 A7 ]; ~# T3 ^
% u7 b/ M& a( {# P- ~Still a method very much used (perhaps the most frequent one). It is used
) F+ [( v- g0 _8 Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( @+ x# t l* v5 V& u2 E. i1 m5 z
or execute SoftICE commands...
" n2 C0 s3 d/ _It is also used to crash SoftICE and to force it to execute any commands) Z" U9 c: P7 \. j0 j! y
(HBOOT...) :-(( & J! s5 U* V3 x) N
9 d0 F2 t4 P/ C- m
Here is a quick description:
8 v! \( }8 p( c8 {+ u4 |0 t-AX = 0910h (Display string in SIce windows)% R& q& v3 C+ p; x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 }$ a; M0 d0 c. U7 W/ c
-AX = 0912h (Get breakpoint infos)- S* N; u6 g# |1 E
-AX = 0913h (Set Sice breakpoints)
9 ]+ h9 F1 E9 L H-AX = 0914h (Remove SIce breakoints)
5 ?) {& G! C3 P( a4 Q1 T7 x- p0 z9 [7 y* l4 g4 X/ n7 \0 M4 `3 @
Each time you'll meet this trick, you'll see:; ~. m; E2 F! K; w2 w) Q7 D/ m
-SI = 4647h
4 A! ?: A2 o. w" a! K. q* Y-DI = 4A4Dh
) q% q5 o$ G5 I. C9 j/ M- Q; sWhich are the 'magic values' used by SoftIce.& }9 S8 [& n V. ?* W: x
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.( F; o1 B5 V: ]& ~: [# q* ^; }+ F6 J
5 m! f u* T. p x2 C$ Z( K# n8 P4 oHere is one example from the file "Haspinst.exe" which is the dongle HASP1 ]6 U# z+ Q2 `8 ~# K. |
Envelope utility use to protect DOS applications:
- `* I2 @) i2 V0 H- R/ m w; X2 f4 ^* a/ v+ g& s; _
' x" ~ a4 O8 A7 g4 b8 L x
4C19:0095 MOV AX,0911 ; execute command.+ n" C+ a& q1 X% O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" B1 E% ?, U* v9 d+ I. G7 k4C19:009A MOV SI,4647 ; 1st magic value.0 @& Z! U; N: d3 y& d% D
4C19:009D MOV DI,4A4D ; 2nd magic value.
0 h; }$ G9 M) _% L4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: w7 x h' P/ t3 T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, L% }; ~+ j: {& A% b6 w4C19:00A4 INC CX& R: H# P" ?1 l5 M4 ]6 d. a7 M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 |& `1 o3 P+ |" D4C19:00A8 JB 0095 ; 6 different commands.
3 p* b" j# v+ W- m4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. @% B8 @7 o/ Z7 W4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ o2 f9 P) x% y' ^& y' }: A, {/ k
, i! B. P& o2 f: g& l: n. M. HThe program will execute 6 different SIce commands located at ds:dx, which! i3 C& ~ Y0 i4 X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
} B8 b( I6 u4 W+ \
$ ~: v9 l/ k; W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 c" D% Y2 v+ g% z r, X* t___________________________________________________________________________
' T* v) f; l, `5 D9 C1 O: x% p6 x! d9 s9 Z! @
) s/ U# ?" }) x1 `( }2 V* B6 yMethod 034 T* w* l, B5 Z' W
=========: M/ b% b5 a8 t) X
- E% }) T0 K3 V/ F( w* E! G
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. z3 e9 F" x; M ?3 t(API Get entry point)
9 G9 C: Q5 P/ h8 ` 9 s* w, }# `" ?! U U- D* Y; g
( J! R4 Y) |7 O xor di,di9 e T7 j3 |8 Q' W% r8 J1 h
mov es,di; @+ ?9 p3 M8 H2 b7 ]: z) O H
mov ax, 1684h
. e, F. p( R7 Q4 G# M. E5 f3 U mov bx, 0202h ; VxD ID of winice
- C' Y7 r! u% n$ o8 k1 D) H int 2Fh
6 h$ @8 H! W4 I" B' e mov ax, es ; ES:DI -> VxD API entry point ^# F ^8 n7 ^2 o" Z7 J( A2 g
add ax, di0 G. T/ F% p1 h& {( O
test ax,ax
- @" |8 b# ? o jnz SoftICE_Detected
0 z \) a( g2 Z7 u s: @
' l+ b2 f$ O2 a) T___________________________________________________________________________
# D( ?4 A: M$ c, L1 _1 h
. Q) H9 [$ v+ N) I, v% KMethod 04 l( ` Q* @8 ]' H
=========( H/ | ~. g3 f5 g+ q
a# z- v* S+ V1 h/ ^' iMethod identical to the preceding one except that it seeks the ID of SoftICE7 c9 f0 j7 n2 I5 K' Q: o7 \3 z* l; G
GFX VxD.
8 W: h+ x) ?1 v& e+ c; s' V4 v+ J; S C
xor di,di
" ~6 ~- _- X7 a, l, S2 N$ | mov es,di2 @) B2 d6 ?9 i+ G$ R2 s
mov ax, 1684h
( K# {7 c/ u; J9 C j8 ~ mov bx, 7a5Fh ; VxD ID of SIWVID& J' T+ f( R' O1 y: w
int 2fh$ R7 w; N8 F1 g9 O5 t3 @; q8 B, K: S
mov ax, es ; ES:DI -> VxD API entry point/ W* w# p( N8 `7 A
add ax, di- H& S' B6 n2 E( ~( x8 i2 w
test ax,ax
; @3 m. q; U; s! [, W S jnz SoftICE_Detected; F. v2 i* b: ]7 e9 \
6 ^& H& U2 p( E! c6 O% [: H1 ^__________________________________________________________________________% N+ e; x, D3 ^) e8 b' b9 f
3 K) b: X0 V/ S q
3 i8 r0 @( a& ]/ a5 r
Method 05
! A9 F; ^9 \ t6 K: z7 @* s9 ?, x- [=========; P, N& p( y! B: F
; G! z2 ^1 \7 J' |( JMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 d! Q ?2 [1 _; J, W' N* n
debugger. It calls the int 41h, function 4Fh.# J9 C& O* I; o% ^4 D- o+ L
There are several alternatives. * A( @0 z0 t5 p2 x1 U9 Y
8 P" \* N+ T$ {$ nThe following one is the simplest:; {( j/ [1 k9 x2 y* U& M
* E) P: }7 ]# U! d7 N
mov ax,4fh
! j$ @! C. p0 ~, l9 p% w: ^- P int 41h/ e. P, X; J% b( V0 G5 [
cmp ax, 0F386% p! w% ?4 `8 e: V3 T5 ^
jz SoftICE_detected3 [: Q @/ ]& o2 l- Q
/ E$ J# {" i8 q6 R/ n9 c+ U: s& M( q
Next method as well as the following one are 2 examples from Stone's
5 Z9 B( Q5 c, o9 \; D0 f; P"stn-wid.zip" (www.cracking.net):
2 J6 |" q) W8 A% H3 U# G9 X0 S3 x" g3 L7 O
mov bx, cs" E7 t, n$ q* X
lea dx, int41handler2
/ s p" O$ z& \ xchg dx, es:[41h*4]# g+ J7 _) R9 L1 E
xchg bx, es:[41h*4+2]
, v2 @& c8 F/ b+ M0 D0 s mov ax,4fh
4 Z* Z8 L* T+ i* ^, x3 d5 f1 B( Q5 q int 41h
- w' W* w# D } P/ X xchg dx, es:[41h*4]( g% f0 `# W" R& n
xchg bx, es:[41h*4+2]& \) g/ A) s7 P) R( m
cmp ax, 0f386h( W( I& G4 |' b6 q
jz SoftICE_detected9 _/ R1 ~7 Q4 T; ~% J
; i- @- c, N1 T2 e, t
int41handler2 PROC
4 ~$ h/ }; S+ ?$ Z- Z, o iret, G4 ^4 n7 f( W+ n/ N' c4 F
int41handler2 ENDP6 Z& `" x9 q0 B5 b* V- n4 B9 ~+ F
7 y9 n9 U' W0 U+ |7 S% \3 n) I: S* k+ m; a1 t8 j0 u
_________________________________________________________________________1 d( U2 Y# T1 A2 B0 Y( o9 J3 a
" k% V4 u# P4 Z) L) O- R) p
' t2 x3 Q6 O( I5 Y9 j% DMethod 06
! a$ F" Q" o( F3 t% R=========
7 I5 _: @4 r5 V) E/ {* i2 A- v+ b* S
5 w% P' Z3 q# c, a# e# h. _ b4 k5 _. `+ G# k& S( E; {* e
2nd method similar to the preceding one but more difficult to detect:
- k1 P, A H. d
2 u! |) T3 |7 O) c8 v( X2 @; y3 C; Q3 W" t& G& e2 u& s }# G
int41handler PROC
) R) j4 Z' i% E mov cl,al" a S# H `" b9 i
iret
% |7 a& H P& I. y( qint41handler ENDP
; T# Q! a, U' Y! _- l5 I4 \. k8 I j) E; u$ t# Y# `9 {
0 k( |" ]1 Z% ?, M5 B5 k
xor ax,ax3 r. Y! q: C+ @( E
mov es,ax1 l* k+ b, k. R. z
mov bx, cs1 X! b5 x o, z7 G
lea dx, int41handler" n, H- K. M9 `$ H" z( K! F
xchg dx, es:[41h*4]$ q5 X U5 b' M, w" A& L4 Q6 F
xchg bx, es:[41h*4+2]) t! C1 Y; T8 r, ]
in al, 40h5 j, _5 T4 Y/ }, M# J6 G
xor cx,cx
7 m$ D( X5 s& t: ^ int 41h. g( [ ?. v8 u7 m0 O
xchg dx, es:[41h*4]
- o& F! n1 T3 M J m. C7 Q xchg bx, es:[41h*4+2]
* m8 M. D7 r" K$ ] cmp cl,al
; ~3 w" R T2 q jnz SoftICE_detected
" L: g% w- f" C8 b' ?4 b% |! p. C: C, J
_________________________________________________________________________
" F. K i* X( R' o- v a; I) E2 P' S4 b# i
Method 07& X7 e B. T9 w% l" y( w
=========
& K, J* n P2 I% r5 L& \" s% H/ h9 k4 X' |/ r1 B; ~
Method of detection of the WinICE handler in the int68h (V86)
, C6 G1 k |0 Y! _9 h: F: L+ c, H U
mov ah,43h
) w6 m' h. a+ n' M int 68h
7 ^0 D A* l6 W' O8 { cmp ax,0F386h* l7 c5 ^9 Y% O. V
jz SoftICE_Detected
$ ^7 P* [8 m; Q* a b$ Y" b6 M3 W+ ]- r! e& C; Q# u5 t+ w) P
k7 i2 \0 C9 ~3 Z3 i4 |# b& x8 g5 F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; e$ E, n4 P: j F/ _* D app like this:
8 G: M2 j- O. c5 ]+ r+ c: N0 Q6 }9 c
. q5 e! Z# l9 w5 U BPX exec_int if ax==68
/ W; F( s I2 L7 V+ n( D2 `* J9 [ (function called is located at byte ptr [ebp+1Dh] and client eip is. y0 e O0 S/ Z7 j5 \
located at [ebp+48h] for 32Bit apps). ?2 V0 [3 \* h: L7 S6 {- l
__________________________________________________________________________5 W: v9 I2 f1 |* K9 ?2 K
; E5 F8 G7 } a& Y( k1 t7 r: I( E* S& W% d# N% B- |7 x9 p0 u: l
Method 08* o- D8 n+ c$ B
=========8 F8 m6 Z; q8 D2 J' C) z
: a1 U' r. e! [2 H) s8 T0 ^
It is not a method of detection of SoftICE but a possibility to crash the; v1 H$ h! X" |+ \% ~9 N
system by intercepting int 01h and int 03h and redirecting them to another) R+ e' [2 R% u2 V/ c, O# U- f
routine.- E4 R/ S! q h0 Z b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ E, N; |, E5 M/ K# l1 g$ R" Tto the new routine to execute (hangs computer...)
7 J. D+ I- J+ G; G9 [) A* z& O" X7 c9 e1 o: b+ |8 y9 c- E* P/ t
mov ah, 25h5 H; l. r/ E2 z: @1 D
mov al, Int_Number (01h or 03h)0 a: y+ H' d* `! }3 B/ ^4 E
mov dx, offset New_Int_Routine
3 t, e& |$ [4 A2 u2 f' J int 21h
2 Y8 D3 P, W" X' a4 X
4 x0 m( R& r% q; u& w, k! r" q- P__________________________________________________________________________
y3 E# b& v! E" \" r7 S6 E$ `/ }6 s* M) J1 Q
Method 09) R3 }: ~% S/ [+ ~! O& s% X
=========9 r3 e' {; V& K
# E7 J5 m8 F, J N* X+ i0 M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 Y$ c! d' `. J% [+ q1 `9 r- B3 d# x$ Lperformed in ring0 (VxD or a ring3 app using the VxdCall).' V* k5 W8 A% d1 z( i
The Get_DDB service is used to determine whether or not a VxD is installed
: _% o5 e! i* [' g) ufor the specified device and returns a Device Description Block (in ecx) for) A' V7 b. S& D, I5 @* H
that device if it is installed.
8 t4 s: v' _5 E c' @- M4 D# f. \5 J& x4 O$ K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- @) _5 A! B& e$ Q2 f) b; w mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 D# {/ Z0 y, I7 _% v' B1 B) r
VMMCall Get_DDB
) |8 J' f" A, P; d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 k* r0 A6 b% [- q6 S) L
* C% l" N1 W$ K9 E5 d! QNote as well that you can easily detect this method with SoftICE:
' @& A. J: l" @( j, f) c* X* e bpx Get_DDB if ax==0202 || ax==7a5fh: [5 J& ~; C3 {8 _4 h
* G9 F7 {, O% G& P c' D |__________________________________________________________________________9 f: T/ z/ Q% e
5 _' H1 J! s, k7 }2 w5 w$ z; b- gMethod 10; f4 Q! U3 M( f5 b
=========
" k8 L! z9 ?$ ^6 F. G" M2 t: W
: i/ X% X B& K3 g=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ g' @( Y# L" ]4 R0 F. r SoftICE while the option is enable!!+ v3 L, Z' ~$ ^: x' {! w3 S0 X
0 g0 A- k& }& M$ W- _+ L$ r2 | BThis trick is very efficient:4 j( v$ e0 _: a. S) W9 Z
by checking the Debug Registers, you can detect if SoftICE is loaded. p* m. J) m: @" E; k1 Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& v& A* o9 q0 d; ~2 D: c
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ v, |+ x9 T6 U3 i: B" f
value (in ring0 only). Values can be manipulated and or changed as well
% B6 H) h% X7 l8 ~(clearing BPMs for instance) J0 g3 O7 d( `+ B4 s/ q3 X% L
7 i8 w9 O! K8 `9 k9 S# S
__________________________________________________________________________/ F% U, J& \! E; N5 _
* @; V0 T4 V4 v# c" g, }; w# ?Method 11
" J" ~9 @" T4 Q=========- ?* Q- o% l5 f/ \" w4 I& A3 C
8 E& m* j5 U2 u" i( s6 Y8 n& I9 @
This method is most known as 'MeltICE' because it has been freely distributed
" O% ~( v3 N- C1 a/ a, Dvia www.winfiles.com. However it was first used by NuMega people to allow
S+ a8 B& }7 A$ w$ ASymbol Loader to check if SoftICE was active or not (the code is located2 M* \4 N, L0 a4 Q2 Z' }' ^
inside nmtrans.dll).
* h1 b# J3 S2 @6 o# x, E! R( Z5 s( M! ~9 U" [4 `: G$ V7 V
The way it works is very simple:1 E; [' U& o% I6 A$ E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' Z" p- Z4 `3 S$ i+ t8 yWinNT) with the CreateFileA API.2 a' Y# }; ?/ l6 B0 P0 a0 ]
5 A- j9 ?2 p9 I$ Q" o" y! i8 k X
Here is a sample (checking for 'SICE'):
k* b6 Y5 ~6 C0 Z% |0 J' I, l* v) ]! D6 |6 o4 b: ]' R
BOOL IsSoftIce95Loaded()
2 W$ c* x3 k; ~2 a, O+ N1 i{- K/ L3 g/ o: S' r2 k/ |- J
HANDLE hFile; / C; _* n5 R* n) g. c# b
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) w7 F* @/ O2 Z1 [2 r" S% D6 F
FILE_SHARE_READ | FILE_SHARE_WRITE,& W% K8 ^- _2 k, q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& N. o1 ?1 U4 n
if( hFile != INVALID_HANDLE_VALUE )0 L3 S8 d0 L g( w% D
{
6 C& m5 R7 T4 t0 w CloseHandle(hFile);
7 }4 |7 P5 ~3 W# Z return TRUE;
5 @: {6 N) R6 { }
) H) [- z& G- R& V$ y; `! I return FALSE;
) @( Z; y1 N8 s5 U4 V7 {}! U% B9 f5 ~3 k8 ? }
' h i% `. G0 J* q, SAlthough this trick calls the CreateFileA function, don't even expect to be
. e) V- n; f( }" Q8 r6 m1 eable to intercept it by installing a IFS hook: it will not work, no way!
% ]) j( G$ W- D7 u4 l" ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ g3 q6 G( U! B3 m+ N# {$ [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ H h! a8 x! d: B7 p" Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 e) {0 @% B3 |/ B0 G. R% j' V
field.& i" p1 {$ [; x- }
In fact, its purpose is not to load/unload VxDs but only to send a
w- M% e7 o1 Q$ IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ D1 ~6 j6 j0 Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) I4 W# ?/ E$ Y$ rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 n+ L- E1 x3 V. s" P/ K% pIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( m$ d. a$ t+ L5 h2 ~its handle to be opened and then, will be detected.
- N7 G c" d6 zYou can check that simply by hooking Winice.exe control proc entry point
5 x2 _' {6 V" v7 w/ ?while running MeltICE.$ B7 s6 B4 U" }' x8 t
2 u8 D2 z! U/ `8 W1 f) E. N2 c3 e0 f# x/ P
00401067: push 00402025 ; \\.\SICE% D5 @$ V j0 S
0040106C: call CreateFileA: h8 t' a1 ]. Z+ G `
00401071: cmp eax,-0012 h/ S* d4 _7 }, `5 X
00401074: je 00401091
3 D- {% X/ `0 u' V+ |
: D1 k8 w, U- b! L+ p, n; q: N) {0 w3 g3 ^, z
There could be hundreds of BPX you could use to detect this trick.7 _* P+ {5 _2 I' v7 @
-The most classical one is:
% t, D' [0 F3 y, n' n4 D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# t# I4 Z$ H0 |4 ^: u( G
*(esp->4+4)=='NTIC'
" K8 v4 J- o6 X5 j1 f
6 }: \& V8 |% U0 k) W-The most exotic ones (could be very slooooow :-(
- O/ i* H K0 T) d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 O! R+ D0 u: o$ o ;will break 3 times :-(( g+ [2 U [2 U' t# S4 d
M( a1 l) R2 j! w! `
-or (a bit) faster: 4 f9 g% o2 X& F% v% l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 i! r; y$ h2 p4 k l$ Q0 o/ U: M( O7 u0 ]
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 Y6 p8 Z$ f n; d6 l+ f
;will break 3 times :-(
1 p, x& X. g8 x5 F6 d1 C$ X* Y; F) y( J8 p! j0 |' b
-Much faster:- e. u3 X& K( \ J$ a3 I$ h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% g3 s4 e4 H. Q4 s5 |# f" M
% Y- s: v+ v8 HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 j1 ^7 h' o/ D7 ?+ Z% [function to do the same job:
4 g$ f6 K0 }/ m, ^# g5 o2 D& A& C, S& b
push 00 ; OF_READ3 {9 n6 ^4 X( ~" a$ S v' ^8 R
mov eax,[00656634] ; '\\.\SICE',0( Y; Q* q4 k7 k# ~4 S
push eax; @/ z. x) p6 j3 f+ I' z l
call KERNEL32!_lopen
- i) j3 R4 U' W8 Z# P" v5 R' S. [. I inc eax) ^8 P( s$ m; e* g( G
jnz 00650589 ; detected
$ ?* V B% D6 O& K, G5 }: F E push 00 ; OF_READ
) f$ D; i' G* d3 @% D8 W; r# c1 W mov eax,[00656638] ; '\\.\SICE'& ^2 n4 @& g5 z2 \
push eax( z) x, t; H1 Y6 o7 H* q
call KERNEL32!_lopen
9 F3 I" g% V/ o inc eax& X3 o) k) E1 c& s! h
jz 006505ae ; not detected# X; B1 U* ^0 H4 U- c6 \2 A
! ~9 t7 m" a0 S0 ^; n: R, x/ |; a. J7 C
% ~5 a0 n$ d& K- K; l$ z; I__________________________________________________________________________4 M; I* e4 F) s6 H6 J8 t# W' u
5 `" c* R% S* t& r9 d( O" _% }
Method 12
: X* {" P1 a' u=========' e9 w* n; k8 \- @. n4 a) h9 U0 P$ \
/ f/ V& P$ {3 W5 D3 \0 e
This trick is similar to int41h/4fh Debugger installation check (code 051 g- }( x/ t) |7 Y
& 06) but very limited because it's only available for Win95/98 (not NT)7 S; t8 E: e7 e3 ~/ J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' N. b& c, A: w. ^0 R! H
( W; ~; j5 A( J* d9 K2 x
push 0000004fh ; function 4fh1 n; j+ k& ~, t. ~
push 002a002ah ; high word specifies which VxD (VWIN32)( d/ a" p0 I, s. Q9 O O( k6 g7 V
; low word specifies which service
9 V: K7 J: j0 q5 P0 e% P (VWIN32_Int41Dispatch)
) _0 U% y% A# n- }- ^ call Kernel32!ORD_001 ; VxdCall
3 q" |" r( v3 S cmp ax, 0f386h ; magic number returned by system debuggers
2 S' o' b$ z/ T* z" _$ b$ z, T jz SoftICE_detected- l+ V6 d- Q2 f/ ~
' ~* G! l( d* n+ PHere again, several ways to detect it:
) }8 |" b4 a8 w5 Z+ f. L4 r9 w% d# \3 k: q @- B, p
BPINT 41 if ax==4f7 v5 O1 I0 z9 h) F( e
* L" I c! X! x! s) H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 \# j" }& `' a. ^. `& j" b& L
% ]9 ?4 L7 ~4 o, c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 v" k% Z) E2 A( \/ p1 r
! n! q+ V" u# b( g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. I# b/ |) l6 M2 D- u' ~5 F
3 D( K/ K3 M' F# k! ?( j* n__________________________________________________________________________
" x& T& f x0 Z0 {& Q7 m6 g) k6 N4 }( g9 \$ E3 e. ~$ y
Method 13# |6 C( F. M1 q: x' [1 ?4 M; E
=========
8 D. E3 V; c) t- ]' g, i) r- f/ R5 c |
Not a real method of detection, but a good way to know if SoftICE is
# C7 c, O3 b$ L( n J/ X3 r; N* Hinstalled on a computer and to locate its installation directory.
+ D) e7 X5 i# @; x7 YIt is used by few softs which access the following registry keys (usually #2) :
' B' E8 e5 _& [ M4 k; ~; y
" ~ N( }. g; W( W* R4 h* v; T7 I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 d9 q2 ]; F; f9 G& b D& V
\Uninstall\SoftICE5 |( ^1 [" j- E) B
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' ]; g3 p2 _/ a5 N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ h" b% I; r; ^, ]+ G
\App Paths\Loader32.Exe
" i1 I$ c) g9 r7 s. f/ R0 Y
% r. h( e% g. h* t U, j6 G. u. @6 `* n" q0 G0 F4 _ K' s
Note that some nasty apps could then erase all files from SoftICE directory
3 s1 w" v( ^2 D$ ~, P* Q(I faced that once :-(/ @ c- d# R/ S+ s7 f7 Q1 z7 j
; M0 X3 H _" j: h& {& t. P; kUseful breakpoint to detect it:- y2 @" r3 i) L: ~& s( o
2 M! S; \+ ~) e5 D% P$ Q0 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 V" u, _; A. p& n/ X
% {5 L2 x9 @4 [. T. W8 H6 l__________________________________________________________________________& Q1 Z- O; H/ g$ W& ]" X' [7 w2 }
# q/ D6 F9 y# G+ \4 O" k* P) D6 W7 H, p; Y
Method 14
; G8 ~' }! _3 c- ?- P8 B, e# t' N=========5 P. \5 ?6 }! t; y: Y; s2 V( z
% x4 N& k+ f7 L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 P7 o& B' z: `is to determines whether a debugger is running on your system (ring0 only).9 f' T" l, [- k. }4 D) T2 O
9 M# Z1 Y/ O* s, v( Y v VMMCall Test_Debug_Installed4 W3 T) i Q7 H" e
je not_installed7 f) p' \7 l; {8 M5 O3 G
6 v9 F4 f' [$ B* X) O
This service just checks a flag.* w) P; @( p6 y0 {" [- A/ E7 ^! u
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡