<TABLE width=500>' [+ h3 r' G) E# D
<TBODY> ~, q' w4 v1 M4 @
<TR>' r* Q7 A) ?1 q" b' s: b$ f1 r7 M3 ~
<TD><PRE>Method 01 $ r2 u2 [$ b: _. @. t
=========
$ u# y& e0 a& h6 l; H
2 s' r$ B( a' {) XThis method of detection of SoftICE (as well as the following one) is6 W* |8 M' O$ X5 i$ Y9 @
used by the majority of packers/encryptors found on Internet.- d* E' ^' O2 d9 m( j9 r
It seeks the signature of BoundsChecker in SoftICE
' v! {* q, o- k j3 X# z, b* f; B, e5 h2 [+ [) I
mov ebp, 04243484Bh ; 'BCHK'
1 m; ], c( F) W% h+ S# l mov ax, 04h3 _" b9 a$ M) t- i b; s
int 3
' g/ P1 d$ M' \. | cmp al,4+ F5 V0 h, z. ], p, `
jnz SoftICE_Detected) Y6 t1 o3 o: f0 J/ D
# u2 u' V: |9 v! P9 f) f
___________________________________________________________________________1 A4 m- ~4 d: _5 l2 \
4 `: Q# M" c! }5 Z# E+ ]# q0 EMethod 02
7 B3 Z; [+ o7 y* n, x=========
1 ]- ?; T- F$ \5 O$ t
$ q( T8 h* o O& c" T" V& o: @Still a method very much used (perhaps the most frequent one). It is used
1 d2 q( T- u" D( n+ [- Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# m; `2 e" _8 Q9 g
or execute SoftICE commands...* {& x3 h, Y/ L: f$ x- c" F
It is also used to crash SoftICE and to force it to execute any commands
! q0 k1 r7 _1 y; O7 O(HBOOT...) :-(( ' b6 b8 a( W" Y2 a& W" k: P. C
+ T2 T7 N2 I" B# N- e: B" C
Here is a quick description:$ {. b5 u: D+ L5 I. s$ j9 e
-AX = 0910h (Display string in SIce windows)
9 v; D( n+ f1 [-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' e# u$ `2 ]- B9 a! E$ \$ Y3 d/ ^
-AX = 0912h (Get breakpoint infos)+ P. o7 K$ B. n: d3 N
-AX = 0913h (Set Sice breakpoints)
0 N0 l8 G1 f7 y! p/ ^ t8 z, N: K! B-AX = 0914h (Remove SIce breakoints)* o( ?% U$ q* z/ w
( I b9 r6 d8 U6 S8 i- HEach time you'll meet this trick, you'll see:, y+ k8 h( _" O$ |& c1 q l
-SI = 4647h
! Z0 X1 D6 D( v1 P+ W-DI = 4A4Dh: F2 p0 l0 L" f2 s3 ~" B
Which are the 'magic values' used by SoftIce.6 w2 \( j+ I% x6 P5 ~- h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. U9 U3 S5 J) `- R, x. {
: Q6 Q% v7 }/ h# v6 e/ c
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ } T& ]) h6 v2 m* b& p& |- nEnvelope utility use to protect DOS applications:
* o2 J) _, E1 k! z" R- X. J; H& c; q
& R* k: v) @. t4 h' @. B2 k7 ~" U+ K$ y5 Y9 |+ L% y
4C19:0095 MOV AX,0911 ; execute command.3 b1 |0 J, r+ a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 z- K, M, Q- G. n4C19:009A MOV SI,4647 ; 1st magic value.
6 t+ S0 _9 b; p4 T1 h, N4C19:009D MOV DI,4A4D ; 2nd magic value.
: W$ r7 O P4 x+ y* z! S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- i0 Q, i) ^$ m7 T) I# _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. F, }; E+ H; P9 d) j! Y: C0 h4C19:00A4 INC CX
+ p' w6 n/ G5 \1 M8 ?- B4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. d! t; L0 Z" j' y w, x
4C19:00A8 JB 0095 ; 6 different commands.- v- c, z0 U9 N B! ~9 ]+ O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 o, p8 v% m+ a- U2 u% B' M% z- |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 O/ f! T+ l+ j* L4 H4 s$ ]
: J! x4 G2 M- M1 @& J
The program will execute 6 different SIce commands located at ds:dx, which% G2 @- ]2 j( e$ K8 m6 W$ a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 h: Z) I( P% n; p) I& [; f
$ a5 ?/ g5 I8 l) {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 z2 I4 ?6 G2 ]___________________________________________________________________________
( K9 ?& V' [7 a$ C7 K0 d1 R! M7 @2 @1 I9 p+ E, j, g: @
" C2 H- j6 O* c1 K) c) w, t
Method 03
: d2 O$ Q1 ~& z, w" O3 `# _=========1 Q4 L0 v, x9 l- }# O# y
, }! F+ |: P. |9 _& E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, `, m! e6 k! ?# Z2 G3 N
(API Get entry point)
: I w$ p' Z9 d/ C2 j3 [' O
# l7 `5 T4 |7 X+ h$ d
* C* t% I) `; e xor di,di
u/ j) [. B+ n1 Q- G7 {+ S mov es,di+ ]! o1 Y; J8 S
mov ax, 1684h 7 ?7 ]7 {* d" G) w p
mov bx, 0202h ; VxD ID of winice
" ?5 b# h& c- u9 k m" p int 2Fh
' t8 x% C9 `, ?7 ?: C) @6 w7 P& D mov ax, es ; ES:DI -> VxD API entry point. P! {( Y3 {( d5 P6 F- s
add ax, di) @7 ~, G b7 q/ J1 G7 O
test ax,ax" O9 \" l' [) M
jnz SoftICE_Detected
# \) f( V8 K6 D8 l* I
. }# k( [& k2 E2 x$ z1 p___________________________________________________________________________
# R# A6 x/ l* a& Q; { K6 _+ U0 m7 x. n5 N" ~0 L
Method 04
& B1 {1 [1 S& M i7 v- K; z( T7 U* { e7 G=========
) d/ C P# V$ R& q* i# B4 A; G- o; M) ?$ o& C1 q5 c' g
Method identical to the preceding one except that it seeks the ID of SoftICE- M& E' D: {9 [- H$ m( x; Z
GFX VxD.
9 ]& f- r. Y& R/ _: ?. o/ w
7 X; z2 X5 p. o7 ?9 T- p" ~8 G' g xor di,di/ w$ D2 v7 Q3 {
mov es,di' G+ ^* N$ ?! U4 ]3 i
mov ax, 1684h 5 u+ H& o9 T" F8 d0 \
mov bx, 7a5Fh ; VxD ID of SIWVID- [5 h/ n0 }' u: m; @ T* ~& l8 x
int 2fh% s7 @" q F% w
mov ax, es ; ES:DI -> VxD API entry point
7 n1 Y0 N c4 s8 J( P. N add ax, di4 E7 v7 N. f, M1 x1 F! a: [
test ax,ax
& T* a; j( u8 _ jnz SoftICE_Detected
6 b8 `9 i0 [. r: ~9 H* A( C* W! ]8 T( U% X9 o
__________________________________________________________________________! p! g Q) V b8 |3 u6 b0 m
2 `2 b1 l4 `0 y1 U$ S
6 n0 L! ]5 ~# G+ ]' {6 ~8 } I) kMethod 05
- K' t( K; r! ?1 g5 T=========
% j$ l: V6 Y. r1 Z6 t9 K7 ^+ x" h8 r+ G
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 F: _& F- k: V( x
debugger. It calls the int 41h, function 4Fh.
/ I& i6 h, c* ^& f- }There are several alternatives. 9 [% e$ j) ], @7 ~8 [# Y
) |0 r3 E' E7 b. J/ Y# [5 _The following one is the simplest:. C$ g3 C) k9 W& ~' R' u7 V
' `- Z2 V1 ?3 B0 S8 Z' {% Z% G. D
mov ax,4fh
! ?+ y& \: p( X" S int 41h
# H) E5 e1 E% X; V cmp ax, 0F386& z- h$ _- o5 t3 G* `
jz SoftICE_detected
6 V) ?4 X/ X# d* @7 j
2 b4 {3 e* K$ \
( K0 O2 y; _ z+ [ G+ _Next method as well as the following one are 2 examples from Stone's
7 ]3 A9 L4 V+ p0 P"stn-wid.zip" (www.cracking.net):$ v+ s0 ]/ c9 Q+ \7 C# F
% K; I4 O( g9 t8 K0 Q O% D& @- v mov bx, cs
" [& `# X) R" C( M7 I& M( y8 e lea dx, int41handler2% c1 T3 A9 f% m* R& h
xchg dx, es:[41h*4]+ V! t3 M" Z7 h, |; a) e$ \6 v: D4 @! P
xchg bx, es:[41h*4+2]
8 g8 V. f5 I0 n3 K mov ax,4fh
: W' q( ^1 b F ] int 41h
8 ]- ~! ?5 E" J4 n. s, P xchg dx, es:[41h*4]
4 ]/ {1 u" y4 X9 R( w/ a xchg bx, es:[41h*4+2]
* [$ m# t' s) `( g! X2 ~ K% D cmp ax, 0f386h
' h/ S% f. ]6 z5 B2 C0 F( G1 g L jz SoftICE_detected+ w' ~! i% T: f- [
5 G9 W4 s5 d! a
int41handler2 PROC' S9 ]9 e9 i# n8 D) ], |
iret
: T7 m7 L* ^) {& z# o% `. Oint41handler2 ENDP2 R- c( u1 ~* ?! J
2 ~- v% [- t! ]9 {5 }! c2 C
2 t* X2 K# z5 T# E. p! A_________________________________________________________________________
. T, @8 ^% i3 ?. x7 j! [8 m
1 U6 B1 Q" a' u7 r2 N* E( g, B3 g4 g7 l
Method 069 _* [6 z4 ?2 I+ c7 ]7 q
=========' U& D& F2 T* l& b0 }6 O
% \: O- P2 r& W. [" L. t$ j" e# V
, `, [, P0 Z8 R2 x. P+ {2nd method similar to the preceding one but more difficult to detect:& }. c9 [; Z' w: r
# p" v, m5 e. |! O( ]- L7 o- Z5 i' X
int41handler PROC
6 X+ o K9 u8 J6 J; @ mov cl,al
. @2 a' i u8 H2 u* V) j/ s iret$ `- v5 s; s$ ~' q r; I
int41handler ENDP
0 N" |3 \3 l1 w" e) \9 a, x1 t6 x9 f
k: |& H! G1 x! \* m( t
xor ax,ax& O2 B+ o2 |3 i& r# Y Z
mov es,ax+ k; d8 P9 I' P+ n8 o; c9 z
mov bx, cs: |2 `/ b5 ~' g! h' D
lea dx, int41handler
( U v2 A( W5 c4 ]) m xchg dx, es:[41h*4]0 _# M' \ P8 A: \+ P5 q7 V
xchg bx, es:[41h*4+2]
* {8 Z, [/ J+ y, _ in al, 40h$ K' T+ A6 ^8 O8 {/ X6 m
xor cx,cx
% U3 D v' P' R _8 | int 41h: c2 j8 m5 p9 }+ w8 Q4 ^
xchg dx, es:[41h*4]
3 S6 D& L" S( ]9 q xchg bx, es:[41h*4+2]
* y, A+ j2 P1 e1 d/ K' G cmp cl,al
6 v7 z- n% s* Z& B) f jnz SoftICE_detected' G' v) T3 {) V G$ ~' r
1 i! y5 U0 x- @* X
_________________________________________________________________________" p$ b& i1 M$ j [: ?! W8 m
5 w \) N- L2 f% v; d6 f- ?+ h
Method 07
2 _! x* |+ J1 i+ U9 F8 I) h=========3 X1 G# X d1 V8 v+ E/ E$ }' h
( K9 Q& O. {( T0 h# A0 {/ L+ j
Method of detection of the WinICE handler in the int68h (V86)
8 X! F# y7 ~7 y. Q$ q5 x5 o. B1 O, M4 f. B; n5 [
mov ah,43h
( R7 B6 b4 J0 m: W1 c5 i int 68h
7 x( m. r# Q! x3 C0 w6 j cmp ax,0F386h# s$ J$ @2 _$ p0 N5 J3 q; A* Q
jz SoftICE_Detected& \' B; A4 z* J, W0 i5 O% `2 R
4 }. w" J* m5 s7 {* W" l* s
. H! y" F# q; u$ o5 }8 Y. n- s6 T* c=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 \+ D' ]6 j& R; q' ? app like this:
9 U _" z- _" S6 y& I
3 I' h3 `( w. e( {1 K BPX exec_int if ax==68) F4 Q8 d5 X0 h6 U( c. e
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 [& Y, l- `' A1 z3 ? located at [ebp+48h] for 32Bit apps)
% e( v. l7 m m) y5 [__________________________________________________________________________
- a/ ~! K5 `2 F6 `/ X1 e0 @9 \& E$ Z+ y; @9 l5 L: W
# P- `+ h1 T1 `# j: j
Method 08$ O3 |7 u2 H- n9 ~9 A; B8 r" l
=========
! w8 }* y: `+ }# ?: I- f' C% d) Z: }9 u, u5 Q) L* D# a* |9 j9 y
It is not a method of detection of SoftICE but a possibility to crash the) L1 K: v; g: k" t, c
system by intercepting int 01h and int 03h and redirecting them to another
' ^8 e6 d: K: ~3 I' A- H6 w, z1 Froutine.5 N+ P# d$ z9 d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
y# }" ]* b J8 B) ~6 Pto the new routine to execute (hangs computer...)6 W3 _8 D9 a$ G' _4 k* c7 H
) h2 N, ~0 ^( L mov ah, 25h. G" B) B0 r) ~/ C$ M
mov al, Int_Number (01h or 03h)
( |+ p+ z8 c, ~( K A mov dx, offset New_Int_Routine$ m$ K. a2 s: n4 K# T- l2 V
int 21h/ b4 y( c# c! A" ~% n5 |. C' P! f
9 \, S9 g8 x0 ]8 v) m__________________________________________________________________________: |; p4 y: R$ h* S$ f6 n: _
1 S/ t/ b2 y$ C1 R/ `! b8 eMethod 09( _7 r3 ?( C* h# p4 t6 t3 [
=========, i: V3 j* N9 w3 X. C
& C5 v* y9 h8 `) U I6 CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 ?2 Q: ]" l) H- rperformed in ring0 (VxD or a ring3 app using the VxdCall).! N! a. b/ y# S& W9 a' H% p1 V2 A6 C f
The Get_DDB service is used to determine whether or not a VxD is installed0 v( }: v9 }% X( k/ O0 g
for the specified device and returns a Device Description Block (in ecx) for! Y9 t! o' Z) B+ ?- D$ d
that device if it is installed.
3 V' f7 j E" l
4 m# i6 b5 `4 d+ S; K$ Z7 v mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 q& b3 k: v, V# N/ b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 W. r# n9 S" c- [5 X
VMMCall Get_DDB
* \% c" w3 o( ]- E+ @1 _ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% ^0 h3 i* t+ s; A, P3 Z% S: E$ e) |
; a, V# g) i }Note as well that you can easily detect this method with SoftICE:
+ X" c; \3 ~- c: H- w2 W6 O. D bpx Get_DDB if ax==0202 || ax==7a5fh
' v( @; Q1 _9 }) Z7 m
7 t7 H2 `0 G0 F) C0 O) N__________________________________________________________________________
. C+ u" R, ~/ ` s K
1 ~9 k. d( p/ i9 s. S! e; O5 ]Method 10
& g, G" Y' C! L5 [9 \=========5 ]7 \0 e6 k3 B; _0 C: F; Q
i0 k- E5 H! S9 n- z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 A+ g2 N3 c3 k SoftICE while the option is enable!!9 P, q2 k. m* O3 u6 U( A
! | M/ e6 |) o lThis trick is very efficient:
7 I0 y% T! _0 u$ D' Q: ~by checking the Debug Registers, you can detect if SoftICE is loaded" Z g0 B% z0 A5 p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! K8 V$ s) x E6 T! h4 Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
: `% t$ I6 o' Dvalue (in ring0 only). Values can be manipulated and or changed as well& f) L6 w8 X# s
(clearing BPMs for instance)
) [) @3 J7 r; B: g' S
0 E# c$ E1 R/ S__________________________________________________________________________
; o# k% e5 d! d+ [7 e/ I j
3 R* i! O& ~. v. o. T/ f. `Method 11$ U% S) l- H; b) t
=========
; ^+ {% z G( e- A; j+ I J$ J/ X- l4 J
This method is most known as 'MeltICE' because it has been freely distributed" I; z9 f2 K% |0 T
via www.winfiles.com. However it was first used by NuMega people to allow
V; T/ f; V% v0 q+ @& J& lSymbol Loader to check if SoftICE was active or not (the code is located
! o' U. V" X9 P9 ]inside nmtrans.dll).7 K7 O. E3 L( \+ z
/ A, y# R2 C6 \
The way it works is very simple:: V+ Y9 f( d# V3 }: N) r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. o! f8 k6 o7 `# X2 ]* _) OWinNT) with the CreateFileA API.
# M" Q' K0 A" S U0 n' ^, L6 d) ?1 z
Here is a sample (checking for 'SICE'):" V9 z6 s4 T) \
# G: k/ ] J. [BOOL IsSoftIce95Loaded()# F3 `2 z3 l% F
{4 F ?. A8 o S2 c5 g1 r% y; `
HANDLE hFile; ( N; `% ^) B% n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 m1 L2 ~5 q1 c7 U/ T FILE_SHARE_READ | FILE_SHARE_WRITE,
( y+ G( V! N& t/ K. C, |7 ?1 V1 ~8 K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' G* F z, ]' U+ A3 [/ m if( hFile != INVALID_HANDLE_VALUE )4 I, `. z4 Q' m: q
{1 ]7 F% N; o& b
CloseHandle(hFile);
( d# f$ |# k. M' L* l return TRUE;& ~1 @5 m% u8 g
}3 y% z y2 g% v! p7 h: S
return FALSE; W r9 u. l( F
}
0 m! y E/ F* J# p+ B: b6 S k, O9 f, I5 _ f: J: @+ d
Although this trick calls the CreateFileA function, don't even expect to be
/ [9 K: N, R& d* r$ Jable to intercept it by installing a IFS hook: it will not work, no way!
" \- e' L+ n( a. |7 \5 F8 y' E7 ^$ a& bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F+ l! |. w, N- ]% y/ |6 ]. f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 B, m5 Z' I/ c9 H T! v4 Q+ Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 @2 s3 u [) ~( g# G q
field.) V, n' d' i6 j, }" D( M
In fact, its purpose is not to load/unload VxDs but only to send a
7 i/ F6 z' \- F8 N- IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 z0 A8 L# R& M5 g [! M2 ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 K1 {) g/ `$ ?+ a1 }5 e" Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ k! H4 @' l6 ]* X3 U, x' D fIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& j" q% h% V/ V, oits handle to be opened and then, will be detected.
; ?6 ~) E! y( b) U8 Z* y! {1 HYou can check that simply by hooking Winice.exe control proc entry point+ f6 S5 B4 Q- B* n# i9 M
while running MeltICE.# T0 t! o- p4 h8 w. m
5 H0 X% A6 |* O+ d1 Y0 h2 z) h8 _
( a. q! h$ K8 v, d
00401067: push 00402025 ; \\.\SICE4 Q) c& K4 q7 S7 @! o
0040106C: call CreateFileA
2 [! V5 E) w+ E( ^" d& Y4 J0 v) g 00401071: cmp eax,-001' k- r% U& p4 s- j- E
00401074: je 00401091$ m1 K* E6 @7 A
1 z! ]8 B2 ~% m1 R8 T# k. A/ s, y
5 V8 i: _1 g3 A# H% ZThere could be hundreds of BPX you could use to detect this trick.( b( T( E8 x/ d; Y) M5 K/ M
-The most classical one is:! Z* n, f0 Y+ `/ ]/ M
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; ?( U( ]& d. J1 R5 ?9 ^
*(esp->4+4)=='NTIC'
- H& T9 {$ K& ]* J" E4 n6 N
6 T) @6 B' O- s! [; _# D-The most exotic ones (could be very slooooow :-(
" S3 |1 X& U6 G( @9 b' T9 Z! F6 N# e, f BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 d9 \9 U" E4 {) u) V# R0 B
;will break 3 times :-(9 r4 m4 L' R+ q. j* ~; c( k$ \
$ c3 i' n* o# s# I: H6 I' j# g' @-or (a bit) faster:
! m& h: t' g6 ?" E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; T8 x- ^; [1 E* W6 R
1 n7 e3 ^3 T! n" L% E H BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * k5 \- d. F9 ~0 u! g
;will break 3 times :-(# \3 U2 N; s" c
/ s5 H1 s0 Z( o. W8 s-Much faster:
. F! h* y" L6 i: ?# \+ v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 q0 B2 p2 G, o& B
+ b; i5 y. f) i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. @0 J* r! Q. v7 g: R# a/ hfunction to do the same job:# U* F3 z* i5 O- }/ p+ ~
# \; H7 i6 t$ |3 T push 00 ; OF_READ
! Z, H1 m5 b8 e mov eax,[00656634] ; '\\.\SICE',0" |" M b- |! @0 ~1 D% p
push eax/ [! b7 ? q8 B6 S
call KERNEL32!_lopen
' K& X+ u2 u0 }) {2 ] inc eax; Z7 j% F# f! V+ W5 [( v4 I1 u7 m
jnz 00650589 ; detected
/ m7 @7 ?7 D& n, u% {1 V3 L push 00 ; OF_READ4 s- f. r" d1 G% Q* L
mov eax,[00656638] ; '\\.\SICE'% r/ c2 t, D# `- M' j# S
push eax8 [ f7 h9 W. m {, O
call KERNEL32!_lopen
+ U7 e5 H0 B1 W$ `( m$ f1 L- h inc eax4 B$ |6 o! t+ i3 z' c- `, `
jz 006505ae ; not detected. \1 p! N4 t4 G2 I7 X6 |# i
5 a9 U k9 c2 n2 C/ F$ [! N8 H, {, \! W
__________________________________________________________________________
d. o$ }4 C& Z. }. W- u4 @" G0 u w
Method 12
! I6 b& ^* Z# M=========3 M7 [) z+ B1 x3 N* \3 C+ N8 q
/ C. O! F8 L! `9 P5 ~: vThis trick is similar to int41h/4fh Debugger installation check (code 05
/ p* ^8 o' G Z+ \& 06) but very limited because it's only available for Win95/98 (not NT)
# A4 l% r* _3 g4 N( Was it uses the VxDCall backdoor. This detection was found in Bleem Demo./ J; o$ b7 F, v: q5 R
1 [: e/ ]+ i) s
push 0000004fh ; function 4fh
, m2 Z. f* I" [ push 002a002ah ; high word specifies which VxD (VWIN32)9 S; l$ M' i3 t! L
; low word specifies which service
/ d0 C" |* _$ D/ ?$ s- O9 j (VWIN32_Int41Dispatch)! _& z, P+ Z- U
call Kernel32!ORD_001 ; VxdCall
. M( e* ]6 [/ O" X cmp ax, 0f386h ; magic number returned by system debuggers
) {+ x2 S8 H* I jz SoftICE_detected
2 J5 G1 g* Z# E9 A+ Y \- J. g% {7 F# r( F+ O- h
Here again, several ways to detect it:$ C* h; c9 J& |! `3 p
$ }- n$ X; ]$ T$ z3 ^$ x$ k+ Z- m BPINT 41 if ax==4f" X6 a' ?+ a8 j# s( N) f
% v f3 N1 s) Q# O# a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 k1 M: w) B' K4 J8 F
3 H2 a; a) u8 A5 G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 E; Q: W, D2 V' N9 }
# k0 |; s L# I) m# C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 o1 [1 `+ L9 x9 X3 G8 }; v
8 K2 _* c: k$ L/ B0 V6 h__________________________________________________________________________
+ t9 s* i5 r. H5 o3 s* ^- L. s8 \8 a. R0 o' \6 q
Method 135 k! K; c" [7 E" c# l
=========
' g+ R# F# ~" d. |& x4 W# H/ o4 o) \
Not a real method of detection, but a good way to know if SoftICE is
`+ V. y2 X! u5 R+ x3 linstalled on a computer and to locate its installation directory.
% j+ `6 H5 a+ H+ o* K6 zIt is used by few softs which access the following registry keys (usually #2) :' A# `3 |% ^& @$ L; q3 z |
: h5 H6 B. K$ A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 M, M$ \! W1 Q" s- _" q3 E1 T
\Uninstall\SoftICE0 ?* ^1 s. b% C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 K8 c0 {) ^- {# n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 Q/ D! @3 ]& e3 _8 q9 `1 l
\App Paths\Loader32.Exe
4 c; g7 u; ?( W1 U) n& z, M. A0 r2 d+ d: h
9 b" |1 `( H+ @: |7 q, l: u% }Note that some nasty apps could then erase all files from SoftICE directory/ ?* _' y4 c6 b3 `$ N# s
(I faced that once :-(6 j# p- s8 @7 X: t1 `. D
k! n3 A0 ^+ K: U5 b* x6 a+ }Useful breakpoint to detect it:
/ u2 N; z" f- t8 n- s! t5 K, d8 ^. t1 c, m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& y( @$ O6 |2 `3 W
' T* \# T; I: `* I1 g$ X' N
__________________________________________________________________________+ |/ @/ y, z( O! r5 }! p! M% B
. K* u; W* k6 Y$ z1 z" p2 y4 ^" x# g& o3 |% P1 K8 E
Method 14 $ ~1 t3 T" m5 f' N6 {
=========
* f+ u( |- m: u; k6 M9 U+ d# s$ Z/ t2 f7 `- |4 w& Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' d6 y8 }" o: R/ ?0 Sis to determines whether a debugger is running on your system (ring0 only).
$ f. y' K' X. z2 v# q7 W( V
2 Z) S+ y- d& M9 y$ p4 n, H( z VMMCall Test_Debug_Installed, ~9 K9 ^& B3 D0 ~6 e
je not_installed
4 k5 l, y, H- T9 j
0 m9 H0 T5 T, m$ `: I; X2 D* v5 MThis service just checks a flag.
: ~/ h( v9 ?3 m2 c& O1 k# k2 G</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡