<TABLE width=500>! }. m/ P5 `& g$ @( @1 D& s6 G
<TBODY>/ v5 C* J) ]# A/ x+ g) h3 Y8 c$ `2 t% `
<TR>' R8 Q5 U$ |! e3 E. I" [ [
<TD><PRE>Method 01 8 f( {/ C3 t5 m
=========" e) Y0 p2 y. D1 ^, m
& C" D5 H; I! H/ `This method of detection of SoftICE (as well as the following one) is4 O( s5 _( p' O0 C+ O! {# n. m
used by the majority of packers/encryptors found on Internet.
1 r4 ?0 `& ?; E; g: j+ _$ YIt seeks the signature of BoundsChecker in SoftICE
2 u3 h' ` S8 G: x! D5 T1 a. c% W# K4 \, r( r* b% D
mov ebp, 04243484Bh ; 'BCHK'
6 m/ g! L b) s% Q% k; e% W mov ax, 04h+ s1 R' X9 O% T( l4 C: I% L L. n, w& z: m
int 3 $ _ l9 R% X/ I: [5 f2 M
cmp al,48 ^0 c0 t5 B% _2 y
jnz SoftICE_Detected0 ~1 n! X4 u* A/ s
" H3 x' ~6 [8 I6 g8 w6 m: H; i8 ____________________________________________________________________________
. U7 U/ D- s7 E* d, H1 [, t2 i) C" U) b& t
Method 02* x: D7 @: Y0 O. {5 V& Q
=========3 o- M* X |) ]9 K2 j8 n
% ~/ @0 G7 w! Q) u( OStill a method very much used (perhaps the most frequent one). It is used0 r$ K* ]8 m$ F( n p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" N% \+ R% W, S7 k3 R, u# w3 ~or execute SoftICE commands...9 f$ @1 S ~6 `$ ]! A+ k: \! O1 Y
It is also used to crash SoftICE and to force it to execute any commands
8 s# p2 X) M. B7 a(HBOOT...) :-(( 4 J# h/ |, t4 X) T4 X8 d
/ k* \8 z: ]& G) F) PHere is a quick description:$ R# I& M9 ~. J8 l, M1 ^& \
-AX = 0910h (Display string in SIce windows)9 q7 \7 i+ U) s1 D r1 e$ V
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); |/ t( H$ `, r. v* m2 O
-AX = 0912h (Get breakpoint infos)+ n X1 }/ \) q" j4 r5 _
-AX = 0913h (Set Sice breakpoints)- D7 {6 t* q/ i; c+ ^
-AX = 0914h (Remove SIce breakoints)# e: m* s+ y+ E% \- t: b& I' Y
8 J! L2 l8 I1 n0 n) P
Each time you'll meet this trick, you'll see:
% ]% Z, j, o, {; ^- @2 j-SI = 4647h0 R" R1 G+ h! q7 B: M
-DI = 4A4Dh
' R4 p {1 b9 G5 V9 M& o; DWhich are the 'magic values' used by SoftIce., \" {5 O- g7 b6 j- L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 O; X. U7 z' G) l! x$ \" h" b
, Q1 L c$ e; ~+ QHere is one example from the file "Haspinst.exe" which is the dongle HASP
% \# ^/ L% l. A: X$ ZEnvelope utility use to protect DOS applications:3 q: P% N2 a4 t! o; l* h. t
2 K7 p" k$ ^. f
, \* E8 w: h+ e/ T! ^
4C19:0095 MOV AX,0911 ; execute command.2 v, E9 ^( G' _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. V, d& c( }0 p/ d4C19:009A MOV SI,4647 ; 1st magic value.4 E8 j2 r; ]1 j& f9 A2 L
4C19:009D MOV DI,4A4D ; 2nd magic value.1 |- c5 u- T7 D, M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 U6 C; V( T9 L) j+ |) ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 @. {- D# Y% K
4C19:00A4 INC CX
) t3 m# J G/ c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 c+ }1 n# d6 T2 _3 {4C19:00A8 JB 0095 ; 6 different commands.
- C$ T% E7 @2 W" T! q3 J! E4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ ]' _ c7 L0 [" t" |4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
?, N+ E, X( [2 M+ Z/ P
4 S2 x6 v- y' G8 P5 U. H' U RThe program will execute 6 different SIce commands located at ds:dx, which: M/ P/ U5 n2 t5 U( U( h. d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 D5 I9 r# Q& e; \# E" a1 G' B- U- i7 J* c0 ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' G, f d5 w2 I) e+ L( {2 O% h) |
___________________________________________________________________________
* a6 Q- p7 t: {9 F# Q8 a7 Z* T. W
$ j$ l, B% C+ x- L2 S; c7 I& C3 T d" t
Method 038 U- R! ~8 } w5 s& @: M& k$ |
=========+ A5 I9 w. e& }
- n/ I; P, G K9 e8 ]; G; DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. H) Y9 v9 X* ?(API Get entry point)
6 J% S( @: T: z( C
- r+ ]3 q$ W3 E4 Y. c) N3 d! |& L
0 O. f# e' K# {8 k' f2 v xor di,di
4 o% ?+ L1 E3 @ mov es,di3 u$ D& z: r& w6 N: Q& L
mov ax, 1684h
7 S* p" V* C2 G9 q mov bx, 0202h ; VxD ID of winice( j1 ~, X' b# K9 o/ d
int 2Fh
1 ?* j: b- ^2 ]$ K8 a mov ax, es ; ES:DI -> VxD API entry point
8 p5 a" h2 E5 d" d' ?* j( d- R add ax, di
; X3 _* `8 h; k. h: Q' v" y9 C- p test ax,ax
3 g, |& `# t7 y: x' x6 }7 z D8 E jnz SoftICE_Detected" O) n, l) u' @
4 [6 B U P4 B( \" O- B___________________________________________________________________________
5 x/ C j* o/ h( ]. V( _# V/ J( G
8 }" |0 c4 i5 V8 `2 ?2 xMethod 04
$ k& h; F2 e& O$ [=========; p) i- f1 O! b- X3 y
1 W0 _ @* ?7 l( o$ }( d
Method identical to the preceding one except that it seeks the ID of SoftICE
( \* K5 d o4 \ q3 X1 {GFX VxD.6 ~$ m7 R% V) W# ^$ Y; G; z
7 E; H) {, S% T. ^2 G
xor di,di1 D5 K. h' r. Q
mov es,di
- F$ f6 z. S2 J9 z$ S mov ax, 1684h
: \- E2 K i! f' V/ Q1 r. _1 u5 \ mov bx, 7a5Fh ; VxD ID of SIWVID8 Z+ o1 d; Q# x* P' u
int 2fh9 `8 c- @- ~! t
mov ax, es ; ES:DI -> VxD API entry point6 x; ?( K w t. ?% W t
add ax, di
( |. a( ^1 k" d; j: [ test ax,ax
) @5 Z, X+ d# K" B3 U8 m jnz SoftICE_Detected
% A" X. @" d3 c' v \0 t, B5 L. z2 o9 s
__________________________________________________________________________
0 F* i7 d4 Z, E2 b7 [* s% `' x9 b+ ^
" T) d- @# p& L
Method 05( y& B6 B4 w. ~( _$ V0 \
=========; ?% _2 P+ r2 m7 K: N5 A( O2 A
: _4 l8 J- N, B$ r# B
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ p* y: s3 f8 L& y* [, ^; r4 Bdebugger. It calls the int 41h, function 4Fh.
, e0 X/ o; @) b: I6 s5 Z AThere are several alternatives. ' o9 N: @. [, a5 w" P* R
7 F; n ~5 [3 b$ f' Q
The following one is the simplest:
1 F* L2 R2 y( w% h
/ w" _) I$ G& W) @7 l% A9 ` mov ax,4fh8 P' h2 e& v3 I+ _. {/ C' ?# [
int 41h+ x; s# I9 V" J1 _! a
cmp ax, 0F386
/ X- [: R' t6 e/ M$ u4 C g1 j jz SoftICE_detected6 P' J) V/ f' @. M
1 G1 a- G* Q# X. @% Z5 B; ]9 H
& v2 S* r; r# i; d7 f' r" B J" Q+ cNext method as well as the following one are 2 examples from Stone's
1 g: d7 {6 f- `. M% I4 q) m: v" B"stn-wid.zip" (www.cracking.net):
3 h0 x7 {8 B1 r$ R9 { \/ T
6 M! A) L; g: t6 M mov bx, cs; L1 v$ r) B# Q6 p$ }/ G
lea dx, int41handler2/ N y/ U) f# I7 q
xchg dx, es:[41h*4]
. Q6 o# x" _6 K/ l/ k& E8 ] xchg bx, es:[41h*4+2]& T5 X, |& }4 J' M
mov ax,4fh: g6 \: Z1 H4 @" L c2 ]
int 41h* h% g5 R+ e# k8 e
xchg dx, es:[41h*4]
4 r( z0 b0 T) \7 W R& y! z& l; X xchg bx, es:[41h*4+2]- F) ^" p3 N! H$ r# w
cmp ax, 0f386h6 j3 n6 K7 A7 Y; o \( D: E" X
jz SoftICE_detected
2 I+ S4 x$ q' u' N* ^$ O2 V9 G
4 |& g5 N5 ?9 k4 A5 ^; E, \! Kint41handler2 PROC/ z" k- X$ n% g: Q
iret
1 E' K/ o8 H0 X: S6 @int41handler2 ENDP9 `/ l n( |- ~5 ]8 W6 c# n
$ S) Z+ r, q8 H+ [: n) O
% _3 L+ C4 x. s3 ]9 K$ F* k_________________________________________________________________________
# w& A# m$ u, r7 @# s6 v1 a' M+ I! M6 r( ^. ]: s6 G( x
: P: U3 w' q/ Z+ xMethod 06
0 B/ ^; _6 b P. d, n=========* V _ L) s! P( z8 {4 [& ^, E
$ r5 ^0 w% J. v0 _- i$ ]
" F% i8 y) E+ X3 I! x9 q( O2nd method similar to the preceding one but more difficult to detect:* }: @ t' P7 `4 F2 t T" @
: k P3 O* T& r. v
: [6 N: i' m7 @, O# ^7 s1 sint41handler PROC
6 y4 H: N/ q% X- |3 O1 |2 T mov cl,al
1 G, D- b1 M3 ]6 S* f2 e3 d8 B6 \ iret
0 I' h9 F5 P' oint41handler ENDP$ f# h8 e1 o% b; x3 N* r
( V4 L6 p0 l# ^! u; n8 x) V
) t. X# l- I# X5 O# F3 J: v9 l
xor ax,ax9 O' G q3 `, k) ^6 b- D
mov es,ax
1 X( E2 z9 e1 u* U& h& {4 L# I4 g0 z mov bx, cs
0 L4 ?/ ^, `0 H3 h; M lea dx, int41handler
9 ]) ]. R5 R8 Z* J xchg dx, es:[41h*4]
! ~+ ~& k: n! v/ x, J$ w xchg bx, es:[41h*4+2]/ Y# d0 p+ f# s/ G0 G4 ^
in al, 40h
$ ^& A+ `# y4 {8 V xor cx,cx
4 M" C m( S) z p- y4 D8 L: F& O int 41h& e5 a* _/ D% x/ @9 {. l
xchg dx, es:[41h*4]
, t+ o3 x8 N, [$ o1 n xchg bx, es:[41h*4+2]
6 f& ^( W3 }9 B3 o8 x2 q cmp cl,al
& w. i0 j5 Z) z) M. g jnz SoftICE_detected8 k J, ^9 J0 S: F; m6 {5 F
P) \) W& p, y4 `( k2 P$ k_________________________________________________________________________
& a7 I- H+ M& j6 F! t- P1 z: C1 A+ h6 b h* k6 X
Method 07
- o9 z' E' [# X3 x; t" D6 v=========& I: C9 f7 ?6 P4 h
- Q R4 }2 h8 uMethod of detection of the WinICE handler in the int68h (V86)
2 K1 N7 S. X* ?8 l, ]& |# K$ z) W: \. P4 o/ e
mov ah,43h
3 T9 p9 x+ x0 w* G: Y0 g$ X2 Q int 68h; }. w1 z- F9 Y2 j+ m% O( j
cmp ax,0F386h! H5 c: S) D0 @+ g* m
jz SoftICE_Detected" J1 ]4 ~: j: c
# K& S$ M; L3 H# ^
' x( J3 d1 y; ^& {% A. r0 ~. E4 I- e=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 `' c1 U& e* p9 g9 F" G7 F/ s
app like this:6 M( v& D, I; p
: B( K& p: @* _ C7 Z+ H
BPX exec_int if ax==68
3 ~9 @/ y1 A+ V. c; f% O1 | (function called is located at byte ptr [ebp+1Dh] and client eip is
2 ^2 {; K$ d! E- C* E6 t! G% D located at [ebp+48h] for 32Bit apps)
5 P2 g0 T S+ r5 x) S' E4 |0 I__________________________________________________________________________2 I( I* u6 J- [& f* V8 @' v
! a8 k0 ^* Q6 Z/ I( ~
7 n/ d1 z# `7 K0 Y+ U! wMethod 08* j0 B0 N9 |8 N7 ]- `; K7 w
=========
3 u( j7 W( q+ x& i& s( u
" R6 b& ]' y! j h. G& eIt is not a method of detection of SoftICE but a possibility to crash the5 R/ r2 g1 X) _8 @
system by intercepting int 01h and int 03h and redirecting them to another- b0 ] S2 D9 s4 u# E- m2 d8 O
routine. d* |7 n+ Q! q) r, Q0 U; R' k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. ]. B2 {# c5 ~3 P) j' `
to the new routine to execute (hangs computer...)
8 q4 P. D0 Z. H" z |
! R1 i9 _1 K6 Z9 \ mov ah, 25h* \: n( z2 q. F* S) a2 o
mov al, Int_Number (01h or 03h)7 V- p+ R# l& w
mov dx, offset New_Int_Routine
1 _, S% s$ l8 ^5 `: Y: b- V int 21h% Z& t i |* D9 v& q Z
$ U+ @# W3 O1 J- n0 ]
__________________________________________________________________________, p) i# a, g+ V* {8 k
# R& m4 M- Z4 M- N0 ~
Method 09
T6 R- I( b0 {* v% |5 {: }7 H: k5 S=========
/ L4 T7 Z3 e) K" b: M- {
+ Y9 K3 x' I# Y. J6 bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- A) P4 |; a) b a; S5 O! K# eperformed in ring0 (VxD or a ring3 app using the VxdCall).9 B8 X9 @+ B( {$ ~; Y% T1 A8 I2 D( X
The Get_DDB service is used to determine whether or not a VxD is installed- o+ `( ]# S8 O+ {
for the specified device and returns a Device Description Block (in ecx) for' ^: A* Z, a7 r& _( W( c. i2 ~
that device if it is installed.
. F# I9 H( d( M, v0 }; O- H2 Y5 ~7 w/ e5 H
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- m! g, s! V f) f7 T mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) ^0 }" f- A5 i! E
VMMCall Get_DDB
( A s! _) C, O7 h* T# W1 M! c; | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 H1 U/ y1 a: [
" j4 ~/ m" E" T# zNote as well that you can easily detect this method with SoftICE:
, G0 n0 r- d$ F6 g8 S' P& e7 G; M bpx Get_DDB if ax==0202 || ax==7a5fh
$ L/ I) `3 [+ r# m( g" ?0 T* n T1 ?5 U, J3 i
__________________________________________________________________________7 U+ y' l; j. l! [3 j
* E( X0 c" e3 M; s3 C! n
Method 10! ` `% f/ ~$ A; V' u
=========
0 C' o: ~/ W5 y, S5 {+ d: b) ?8 ]: K: M5 |
=>Disable or clear breakpoints before using this feature. DO NOT trace with- W, U" |4 O9 L) }
SoftICE while the option is enable!!9 p/ s) q& @ h6 [9 i
$ i# }/ z' k$ A' @* ]. a; S
This trick is very efficient:
9 F) J$ K8 o3 ^2 Uby checking the Debug Registers, you can detect if SoftICE is loaded3 A) m$ S! B1 [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 _2 R( |# g+ d* p% e" E: Kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 v( A) z6 g& \( ?- U3 jvalue (in ring0 only). Values can be manipulated and or changed as well
7 Q8 q3 \8 }7 r! `3 ?(clearing BPMs for instance)
' U! i$ ^ P3 Y$ P! j4 a0 Q: o9 Z. R2 g" @7 `+ [. P% t8 m% h! u
__________________________________________________________________________
9 z% [: Y$ P# c3 X0 S( T
) P7 m8 Q1 W1 d! }( l4 xMethod 11% @" H- T! h3 S5 s+ v9 X
=========
7 |- H& [5 t3 v9 I' @
' l/ m/ L" z- l SThis method is most known as 'MeltICE' because it has been freely distributed; i0 W' A) x5 G. M
via www.winfiles.com. However it was first used by NuMega people to allow
8 w3 q( X/ g L" BSymbol Loader to check if SoftICE was active or not (the code is located8 v6 k7 p8 s7 T( J' W0 G! B
inside nmtrans.dll).
# Y) Z$ G# P1 j; @8 L E; [8 c
, v3 B: ?0 `: UThe way it works is very simple:7 N3 B6 z5 q& _0 G2 g% m# q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: w E% }- ^% qWinNT) with the CreateFileA API.- d7 C9 x% L. {
" p- P4 U$ \8 R4 E& B
Here is a sample (checking for 'SICE'):
( z. ^$ f$ |" T0 k' A$ _, C; E6 i: R( ?, q+ ^
BOOL IsSoftIce95Loaded()4 H, ]" D3 {$ b, e3 G( [3 v; O
{
% S0 x- t0 u! ? HANDLE hFile; 9 Q: C% u' |8 V8 B4 v) ~7 W6 y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! q0 A' J. j6 _; {
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 D3 e+ ?/ ]' o8 h3 o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); e3 U* c; l4 e9 |7 ~$ D9 j) g+ O
if( hFile != INVALID_HANDLE_VALUE )
$ g" n7 a$ p" X {8 Z7 A7 ]1 ^! \" z8 N/ S/ g+ E
CloseHandle(hFile);
( S$ G% R0 K" Y* L( }+ H# n return TRUE;7 K: J) Q) R% a& k" _
}, c S3 ~, I. }0 ~
return FALSE;7 Q3 ?! _4 e5 i
}
& b4 r3 G9 Z4 f" l6 t6 w2 @9 Z( G: J" X+ W9 q
Although this trick calls the CreateFileA function, don't even expect to be
: b9 y0 N j) {. b% h& L6 aable to intercept it by installing a IFS hook: it will not work, no way!
: m0 c2 {% \3 v) YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 E! w6 p2 O' I' U2 E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 I' V0 A& T7 Y. \; r( _3 I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& K9 N, P8 d" q# b, V+ qfield.
) {6 I" E& y# J, EIn fact, its purpose is not to load/unload VxDs but only to send a
% U4 R/ p" ?3 I" K( x5 ~$ @( HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 E6 P6 o: Z5 k4 Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try* u$ H. @" s+ R/ L" J. P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) L2 n1 ^: d0 X& z0 f/ e/ E
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 n3 T ]8 a* ~7 n7 f j1 D
its handle to be opened and then, will be detected.
$ M2 d! K0 R( N p* `You can check that simply by hooking Winice.exe control proc entry point( v6 d6 O' c* F* q! l
while running MeltICE.
4 a6 O7 W- a$ p& |9 w5 K
7 r0 L0 `; y1 Q% n# t; O( z% e3 A0 k, F: ?9 x: J" n
00401067: push 00402025 ; \\.\SICE
! p+ l) B: d( ?( a 0040106C: call CreateFileA
6 ^8 V' Y# P" C# P. S 00401071: cmp eax,-001! I9 [* q; I+ I/ F& i
00401074: je 004010912 @. y! j$ W- [$ _% S8 g2 o/ E
2 p0 \: M4 I( N& R+ l% h3 a
) e3 }0 D! v& }There could be hundreds of BPX you could use to detect this trick.
2 Q) G% p5 h3 d" J" C-The most classical one is:4 O4 d) {4 A+ V* V, h% \. T- b. e$ R) O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 ?: N- f7 Q1 O# K" p
*(esp->4+4)=='NTIC': z5 @: c; H2 K f. f$ D
6 u% {: h& B" u, H* x-The most exotic ones (could be very slooooow :-(
( B: {+ |" r0 i; n+ K5 X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! R& F6 ^* d: n9 k8 p
;will break 3 times :-(
7 A0 P5 C- x5 P+ S7 I
w& h8 \) n7 y: q4 F: m-or (a bit) faster:
/ y" d. \' @- Q1 h, s7 T; a) v% \& _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV') N' L3 q3 |, ~" ?0 Y3 ^
! E9 ^8 o, ~" L! ]0 ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( K' R: P. |1 T8 e+ c ;will break 3 times :-(3 r) b+ s- U" S
) r; u1 g6 _ G4 H4 T+ @/ Q
-Much faster:
# R! g2 m% M+ u8 N1 S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 Z/ F( G/ @& m7 _2 l
% ~0 T' I3 D: i V" SNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 l) F( |8 ~( D& {function to do the same job:
3 p$ W$ T O$ H L6 t6 w
5 t; \. _0 }8 p% P; f- X; |0 J* a, ^ push 00 ; OF_READ
$ j, {9 H l/ T: n& `5 u' S# ~, Q mov eax,[00656634] ; '\\.\SICE',0
. f3 H; }- r5 i6 W* q: D& ? push eax7 O9 Q1 f& o) @8 H" d
call KERNEL32!_lopen o% j" o- J9 U
inc eax
0 |- ^/ x! C! u' a jnz 00650589 ; detected3 P* W: }: i% P; n/ ?+ U
push 00 ; OF_READ) G% o- j, {' T: ^' |
mov eax,[00656638] ; '\\.\SICE') K; e' a0 N0 A7 l
push eax: V' W5 J7 I$ B* J! I
call KERNEL32!_lopen
6 s2 w- Z" |4 z$ F inc eax7 K/ _1 A& s# A+ t k& ^* B
jz 006505ae ; not detected9 c' [. [& W+ c5 q/ e+ ~
: v* G1 W9 t" D$ ~! Y1 Q6 A; H
" w: d4 Z6 c/ W7 Q1 N__________________________________________________________________________
% n3 m$ w; G) e
" A1 i! R& }% s! O3 R5 s3 `Method 12
6 l7 y {) D$ w6 u2 G$ K5 x# \=========1 P% W! `# I) {% }1 j
4 w; W* G2 D$ n" ?This trick is similar to int41h/4fh Debugger installation check (code 05
. O! K; d* C2 ^# J1 w; A& 06) but very limited because it's only available for Win95/98 (not NT)
& S' _$ L+ e9 F& Z! Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 c9 Y2 l( X# C! \
) a; A. P) i$ G$ u4 ~ push 0000004fh ; function 4fh! S. o9 H7 L$ R& z; O. B8 j
push 002a002ah ; high word specifies which VxD (VWIN32)
/ |2 r. j( z' \+ v* B1 q) V ; low word specifies which service: P& {2 ^$ a, ]) N0 Y5 q" \
(VWIN32_Int41Dispatch)- X4 F0 b; U! P( x
call Kernel32!ORD_001 ; VxdCall- D F5 @2 ?! B( P7 i# a, o% B
cmp ax, 0f386h ; magic number returned by system debuggers; l4 t; R' @, m' {6 v0 k
jz SoftICE_detected
# J4 B6 I! d) n
! C* y: n s, X7 i' @, C- g5 E& YHere again, several ways to detect it:9 @ I4 f2 Y0 y& a! }& M
$ R- M* d% w+ E BPINT 41 if ax==4f# \& k) }( ?+ i' a
3 {+ E0 t6 Z/ U- ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: R2 P! }2 Y _% A% X9 P4 a) r2 t5 u( a( B3 {% Q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 ^/ G' K f5 |, E; R& ~( w- b$ p( i
9 O: |% C2 r y( t& g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 ]: V- ^0 \0 f4 p
% m- @: c/ ?* `2 K! C1 N1 `0 u1 V__________________________________________________________________________
1 W4 A& c! l. [+ {6 a! I. J
" s: ^2 Z6 H/ {5 dMethod 13
% G3 e( g4 f1 D=========
* ]% X+ w( G$ b, {9 i/ P$ c& f( ~
0 l& x" D. I; d+ `! h% B$ eNot a real method of detection, but a good way to know if SoftICE is
. g6 V0 Z* L" t/ V# O9 U: z- [installed on a computer and to locate its installation directory.; m6 K4 |& }; t
It is used by few softs which access the following registry keys (usually #2) :
# ~' x$ m7 ]: y7 G2 d
! b4 {# N" n- \0 M5 e' Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 [. M0 S7 a3 t- y8 e
\Uninstall\SoftICE% V( k. U/ ]% i: u* P8 M7 ^/ A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 O8 P0 ]+ M2 h! d e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 e6 R" ^( u+ i- d. ]' _, [' t
\App Paths\Loader32.Exe- i+ K2 q' n1 Z" k$ O9 F/ ~( R( ]
* E! n- w5 ^9 B2 h8 ]5 B
% \$ d0 e5 N/ r# l* dNote that some nasty apps could then erase all files from SoftICE directory
4 q5 j7 B- T+ X(I faced that once :-(
5 e9 r5 H0 P6 { B9 ?/ e, ]. k0 R7 A. `# c" O B
Useful breakpoint to detect it:& }& |' _9 F% {) P& {6 t
( R6 k+ H9 X! u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) T9 M4 m x; e% h
9 m7 }) N C$ L( T% r. ]0 S__________________________________________________________________________: T7 v8 I7 l, M0 ?" e
9 X4 e; E$ t& m+ c' g: m. E. Q
/ I! u3 B# R& z1 z! w6 ?Method 14
3 I1 g1 |5 S/ I. \8 O7 f+ f=========( n& G& I; w# Y( d1 }; C
$ X$ U! q* h8 C0 n8 Y: X d; E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- \; z, v& K1 K. n2 a
is to determines whether a debugger is running on your system (ring0 only).
. J3 w/ T" q# D; a, P' H" x. _8 [
VMMCall Test_Debug_Installed! f9 g( o% q: x
je not_installed: j9 s& A! q! K2 L1 N
( l& ~' n! {$ w. D, ?! ^This service just checks a flag.
+ i4 n8 p; {: X) V8 u1 ?- \/ q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡