<TABLE width=500>2 j' S( A) Z6 O+ p! G
<TBODY>6 H* q0 f* S4 P- @4 w: D7 ~6 A
<TR>; Q( N2 \; S: w! O+ ?4 r) g( ]+ a
<TD><PRE>Method 01
+ {+ c7 @" F' {/ [0 \=========
* a# M) `9 ?" h/ S: F: S* D
6 a3 R9 o) l" m' B& nThis method of detection of SoftICE (as well as the following one) is2 g3 U" h; l5 ~, D
used by the majority of packers/encryptors found on Internet.6 T6 j' {, w/ I5 k2 }
It seeks the signature of BoundsChecker in SoftICE8 {7 U# o# N0 v, h M$ J# c8 h
/ k8 t( {) j" o6 Z+ ^+ w" Z mov ebp, 04243484Bh ; 'BCHK'
' v7 k4 w% ~4 g! v, N& r7 E mov ax, 04h
5 y2 I+ S8 z# h! g1 {, _ int 3 # y/ p6 j' k% V& O6 M y
cmp al,4
_4 ~0 h7 p, M; a$ y4 w jnz SoftICE_Detected
5 n4 o. ?+ R3 n6 S# k, ?; c8 X h p: F- n9 l8 ~0 W, m
___________________________________________________________________________
7 q0 B; V0 t7 `0 g/ w5 i: i% m
( |7 s, P3 {/ @Method 02
7 a2 } Z: s" ^, }* n=========
/ ]7 C0 c, V, c3 @
# d }* d( ~( X5 c7 \Still a method very much used (perhaps the most frequent one). It is used! R D* D* d" Q& f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ Q$ x1 L+ u; u) _
or execute SoftICE commands...
( L/ a2 V2 Q# U. b4 `5 O, @It is also used to crash SoftICE and to force it to execute any commands8 a2 ^1 o3 i9 G! f
(HBOOT...) :-(( " d! {% G* }5 A! Y2 ^6 `
( X9 P& [/ C" D3 y. BHere is a quick description:
7 e0 w$ d; `, [: Z+ N8 |, X8 u-AX = 0910h (Display string in SIce windows)
6 L' m- |* |! X; {. z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 B5 Y# e$ C' k% K: \: j. B
-AX = 0912h (Get breakpoint infos)! a0 Y6 M& }* ?# R- Z9 {
-AX = 0913h (Set Sice breakpoints)/ K y+ U, y6 P% T" q# e4 H
-AX = 0914h (Remove SIce breakoints). y+ T, Q! K% T3 Y
; b+ h( c. r( S; a& t8 H* d$ {
Each time you'll meet this trick, you'll see:: T% D0 ?. D8 l( X, ?, H
-SI = 4647h8 o. |( l* F6 y8 b
-DI = 4A4Dh" t" m+ n; O$ g6 m5 |) V: b& b
Which are the 'magic values' used by SoftIce.
" [2 ?% q2 O9 @For more informations, see "Ralf Brown Interrupt list" chapter int 03h." c1 J$ v6 B5 U" H, G
! M' z- W c: wHere is one example from the file "Haspinst.exe" which is the dongle HASP
' T5 d. i7 s6 J5 Q1 c+ B3 qEnvelope utility use to protect DOS applications:7 V! l. K! ?, h0 V/ L+ e h
+ [ G# c( {! ^/ u- @9 E
R2 T( n; r7 {) b; M) o4C19:0095 MOV AX,0911 ; execute command.3 F; _& E# S- Z; V, L0 l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' R" Y) F6 U4 d
4C19:009A MOV SI,4647 ; 1st magic value.
1 B; B/ R3 b$ [9 v. K) u" S" r4C19:009D MOV DI,4A4D ; 2nd magic value.
( ]4 s1 ~. G; D& Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 `! @6 C& T' K' k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" ?9 O0 p# p5 m- E3 x# {4C19:00A4 INC CX" C: V3 ^7 C0 g6 e! U* s
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( ?+ Y- `9 I6 }# z$ D, \+ q
4C19:00A8 JB 0095 ; 6 different commands.
' N3 A' Y% q- `7 v& @ R# s4C19:00AA JMP 0002 ; Bad_Guy jmp back.( h: D* Z9 O H+ {+ g# v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" T3 ]: U. P- P+ f0 R& f" ]! o
, z: M @2 R4 b% ~$ P, ]. V6 O( `The program will execute 6 different SIce commands located at ds:dx, which
1 M- l5 [' r7 ~- f& n% iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* U9 A; Z0 d, h$ x+ W8 a8 r
1 E4 E) h2 n6 J0 _! j3 X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
n) E$ Z0 Z7 s$ [* V; S8 I___________________________________________________________________________$ N, p: o/ D: a( B
* V8 n4 v4 @# Q! d
' _1 ?& u1 M6 P% S: B$ O# e y |Method 03
2 l6 h0 l5 j( J% ~=========
& J5 ~/ ]* E9 _6 ^; E
5 V6 A2 ?2 F1 k9 Y* U, rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 @9 e" z/ i8 S2 i2 j7 Z(API Get entry point)
% q: f' e* @0 `( E- K5 }
: s7 p- V' A1 z* M8 y
7 {: s6 {4 a% {1 n: `7 F5 x) X xor di,di; O, G3 w1 X/ Z1 o/ R/ j0 E/ a
mov es,di3 |2 B, ?+ ~. C9 ~$ P# M
mov ax, 1684h
! e. A* `# S/ C* {! `* L j! k mov bx, 0202h ; VxD ID of winice0 Y6 N; s( r. K; K2 b& _0 q# L
int 2Fh
/ a0 g. \/ l# `2 g$ O mov ax, es ; ES:DI -> VxD API entry point3 V- [/ Z: Q5 S6 |* q
add ax, di9 J7 c7 B1 S2 ~" L! m
test ax,ax
O: P8 j& M1 ?4 ]" A5 V) B jnz SoftICE_Detected
: a+ K8 g8 V! X; v, y# k9 ?
8 U& g( N6 h* b2 R5 i___________________________________________________________________________* M& }+ R+ t- K9 R
2 ^' z( H# ~$ `0 w. [4 t1 n
Method 04
! Z) R% y6 Z7 k% O, j# X5 R" o! k+ `=========
2 l4 x. P/ F7 c. o+ Z
5 T1 s" l8 K' P/ ^/ k# vMethod identical to the preceding one except that it seeks the ID of SoftICE
9 ^: ]# l2 C% n9 W/ h ?$ r: ?0 A4 LGFX VxD.
5 [, n. f7 |4 W7 D/ }% F- S: C
% z* |/ B# ]# b0 J) w xor di,di+ F, ]7 k& L" {9 |6 w$ z: G
mov es,di5 q/ d1 G( n. N1 z
mov ax, 1684h & i; ?) Q! O" Y5 }
mov bx, 7a5Fh ; VxD ID of SIWVID9 U' V' P: Z4 Y3 c0 r ]
int 2fh
+ x: A: F. Q6 y [2 z" T( _0 O mov ax, es ; ES:DI -> VxD API entry point
% W0 p- Q2 H+ h. U add ax, di* z N: Z% O4 ]1 V; M1 c
test ax,ax( K0 l# _* p L$ s: f
jnz SoftICE_Detected
9 X2 e# ~: q/ d
) K) q7 \) ^. u__________________________________________________________________________
0 O+ ^2 a5 L% ^' W# I2 h1 U& P0 P5 y$ }8 p9 S
4 l1 Z4 N6 R5 p
Method 05
# L! m* ^, t) `% c+ ` U=========8 \9 r6 M* S: S' \& w% ?
% Y/ |' b2 {( C5 r! ?. v! {Method seeking the 'magic number' 0F386h returned (in ax) by all system, P I1 {, f+ e* i/ Y) N
debugger. It calls the int 41h, function 4Fh.
5 C3 D' ^- ^# x. B% rThere are several alternatives.
' h8 l' r! p1 C X; y/ s
" w% n6 Y: I" y7 NThe following one is the simplest:% T5 {6 i0 V, s7 o
8 F* U* W5 G# ~+ I4 s mov ax,4fh6 u, j5 j- x7 A; j3 F
int 41h/ H% Y% g$ B# Z, k {4 W6 Z$ ?
cmp ax, 0F386
; T+ i% L+ J' i T+ i jz SoftICE_detected
g; O. D- S2 t( M y+ D% z- I. `% x+ K' j8 W) C
3 c1 `6 a) K1 p: d0 ?) X# sNext method as well as the following one are 2 examples from Stone's 4 {& x! s* K0 s( V l8 @6 d
"stn-wid.zip" (www.cracking.net): H( c/ }: O, t0 b9 C: L7 _
0 |/ c% t3 i1 B* \4 B( B mov bx, cs/ p0 |, Y0 d% V# r
lea dx, int41handler2: H. e' ]) V1 s' g2 r
xchg dx, es:[41h*4]
+ E+ ~: Y% |8 d( m7 P) k- O: g xchg bx, es:[41h*4+2]
' i3 l( t, S* Q) Z. t: s4 x mov ax,4fh& S. N3 I$ `* e8 h& b" l8 r1 f
int 41h
3 Z4 T' q6 }; F8 m* Y xchg dx, es:[41h*4]$ D% E. Q0 z5 I* q% f# |" }
xchg bx, es:[41h*4+2]5 Y2 Y, \5 p, n0 s3 u1 j
cmp ax, 0f386h; X: m$ H3 P. d. ^
jz SoftICE_detected
9 u( u+ G! v5 s
" X6 x% s5 U" }int41handler2 PROC
% }: ?8 A' r9 S5 K* a1 V iret& d/ Z4 f C% K* _# E1 M
int41handler2 ENDP
+ H% ?8 t, Y q5 c, c+ w8 T/ T' v
/ ]& u$ W3 t. o l_________________________________________________________________________* D. v& `+ O; O; z _
# O9 d! s v4 E2 z6 _$ X4 }. {! n- U0 X1 }# @6 Z- }9 u. K
Method 06
: e/ c( W5 {; ^7 b! U=========
2 G2 P2 B( V5 X4 U6 t, k. w
' B) x. r0 T+ d; `& P& L; |9 v. p7 i
2nd method similar to the preceding one but more difficult to detect:
( e7 \6 N! D5 m8 D! T
) n2 @' I W0 r# ?( ?; z
7 B O3 u$ c6 r0 j; a7 g7 Y- sint41handler PROC
- G+ q) `/ H3 X" I mov cl,al. l4 S% Z' } O9 T3 j
iret
' q9 S0 D$ r) \' W: {int41handler ENDP$ g: q% m8 d7 B; ]+ }" A
; D) z5 P! Z; S0 v/ W& ?) w* H3 k2 u3 H( r" b7 |% F
xor ax,ax
, L" d; N. v8 O* m( ^ mov es,ax
Z3 {; h6 z }' m mov bx, cs; A. Q, Y2 A# R" J
lea dx, int41handler( Q9 V( Z3 N8 z$ |* f. @) P$ Z! y6 S, [
xchg dx, es:[41h*4]. y* ], @3 [" D6 [' l9 b
xchg bx, es:[41h*4+2]! X! x4 ]! v/ h! ^ ~6 f5 H. n9 Q
in al, 40h
& m6 h; [6 w& }8 }6 o5 m" F2 _+ F xor cx,cx
) o: d4 F5 w! D0 M int 41h5 }1 J$ W/ w/ A
xchg dx, es:[41h*4]! g+ W! C" u2 g) D2 E# x# m2 q2 i* {
xchg bx, es:[41h*4+2]
; y, z* V& y7 U) i% e cmp cl,al5 z# v" }/ B |6 y
jnz SoftICE_detected
$ z* M% l# \* I% Q& A4 H# q6 j% k( D* k% Z4 k5 t9 \9 A2 n* P
_________________________________________________________________________- ^+ {7 u1 |5 I: o0 V4 t4 W: u7 N
+ t- x8 {4 m% f! z" G, eMethod 07
: Y7 ~4 Z! ~4 Q$ N=========
k% o5 I+ ]; W$ L/ v3 \1 z/ Y& B
Method of detection of the WinICE handler in the int68h (V86): w( e- o% W5 I& Y. q0 `
K& Q. i2 e4 n5 f, B2 C
mov ah,43h
. s* w# D q) J7 o int 68h0 n. `5 H( }' R, U. `
cmp ax,0F386h
- B- j5 I# n* Q1 V* |$ [ jz SoftICE_Detected
" |- j0 }2 @0 o8 l) j" a/ w4 f7 Q" U, _
& E, K$ p% N0 F* t$ D- i* U=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 \5 `4 s. N: |" N! t
app like this:
, z6 f2 f, S# q5 y7 O% s, B! b3 `
BPX exec_int if ax==68+ r$ |8 o0 E" u( o4 e$ z7 I4 J
(function called is located at byte ptr [ebp+1Dh] and client eip is! ?7 G2 [6 q' }; H+ f# n; n
located at [ebp+48h] for 32Bit apps)9 M! z. l- I; v0 ?! m# z6 {
__________________________________________________________________________( \6 U$ \+ Y1 ]' h
u3 E5 W, i% C' _. P" K
- T6 u* k2 \4 f/ A- a
Method 08: h1 H0 {1 t5 y1 k6 r5 d
=========- _9 k4 c0 H8 e& @7 p
' s3 v ~- @; i: ?8 }: ?
It is not a method of detection of SoftICE but a possibility to crash the. |6 A8 M! t3 X8 k' c y$ R
system by intercepting int 01h and int 03h and redirecting them to another. ?' c+ u+ W; g2 F
routine.: T+ a4 K D- z( X1 M$ `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; q, U7 L4 j3 o/ [5 O% Z3 H
to the new routine to execute (hangs computer...)
- \8 H; P( v ?3 ^. K! W) ^0 P5 {) S' z) t2 {0 Y) C9 e: s! J% r# `
mov ah, 25h* |0 H$ x7 ~0 A4 n
mov al, Int_Number (01h or 03h)5 b J% k+ f* C; H% N$ I: _: v
mov dx, offset New_Int_Routine! \! e% S, r4 g! L. g, @- i6 O
int 21h' o" ?, I0 G J2 {3 w2 I9 s, ?; T8 p
! @. H) b* ~* w! T/ m1 W! k4 d
__________________________________________________________________________
, B, y* t8 i; ? Z5 t8 z/ r: F# g5 K' l! t# x( j+ m
Method 09, N9 L3 d0 d1 s6 e' x
=========4 ]- e2 k1 [7 k8 ]3 N: n
9 B. _6 B; k: T. KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only ?" f* d3 N7 b o3 c9 _
performed in ring0 (VxD or a ring3 app using the VxdCall)./ [7 W- z: h' J$ E6 O8 s5 F
The Get_DDB service is used to determine whether or not a VxD is installed4 I6 N2 ?* c; w5 B- b" W& D( d
for the specified device and returns a Device Description Block (in ecx) for
; X- R7 f" B- h# U; W' t: xthat device if it is installed.4 h$ D) p6 ?+ N! o, M4 H/ w" A
0 ^$ w; M: { y: o2 V9 B# V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& }) |. E$ V9 [8 A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 S- V$ y' \4 ]8 k
VMMCall Get_DDB: l, Z3 ]( i9 N* a
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 ~2 ^0 z5 }! T9 O" R- h6 D) X. z/ |( P# U' G3 O6 |+ T" N
Note as well that you can easily detect this method with SoftICE:
2 B4 U; I3 r- C bpx Get_DDB if ax==0202 || ax==7a5fh4 I( f0 h! j9 }6 E* y4 N6 i
) t2 V3 R( @ A; H__________________________________________________________________________
2 I1 |8 c( G6 Q+ b3 ]& o( U. p( Z
' C1 T4 u* _! Q7 p/ D0 k: u5 N, XMethod 10
9 @3 z0 l" _5 w; f+ m=========) s( a! z& P3 t. P* Y
* ?, b* U! w; t; R=>Disable or clear breakpoints before using this feature. DO NOT trace with- k+ Z* i3 w3 v' R4 z
SoftICE while the option is enable!!7 T3 o1 F2 E$ a6 ?) d' P
7 s1 M9 {- ^2 t0 k* XThis trick is very efficient:' j7 W( \7 q; R& ^
by checking the Debug Registers, you can detect if SoftICE is loaded
5 R, E% j7 X2 l0 |# T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ @8 s- t; w4 [% v3 g1 e; d- Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their' _: y( c- Q3 x; j
value (in ring0 only). Values can be manipulated and or changed as well7 K: p1 B7 u* e* W7 d: F
(clearing BPMs for instance)
& n' A" t. \0 g) T& M
3 D: S) N2 Z2 D__________________________________________________________________________
9 ^3 @3 _: P* V' G& w- S d2 h, a j2 b' P
Method 11
$ s3 K9 C- T% y. {=========3 @& Y4 l" C9 S1 N& T1 R7 r% ]
2 L- x0 P% M6 n3 _' Z( l* TThis method is most known as 'MeltICE' because it has been freely distributed I/ R9 J" I S; d4 [
via www.winfiles.com. However it was first used by NuMega people to allow4 q( ] b0 ?0 I: M8 ^9 M; f9 E
Symbol Loader to check if SoftICE was active or not (the code is located4 X" A' D0 T0 g6 H
inside nmtrans.dll).
3 M( X0 T1 U! R9 E/ j7 o' }! G+ a
I( V9 x% m4 |7 D. NThe way it works is very simple:
& k) d R! _; N* R% U& p. N- nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 N9 e/ l% X) F! a0 qWinNT) with the CreateFileA API.
7 `. o8 Q: C. j- U+ h
% S2 t$ X+ n Q2 T) C% Z# oHere is a sample (checking for 'SICE'):: L& P9 J4 r0 r' p" \) C+ ^
6 K3 }# z- Y; d* WBOOL IsSoftIce95Loaded()( D7 v1 c# I( J$ y
{! y# x9 H/ w# Y, x' @7 q8 {0 e
HANDLE hFile;
7 i ^* J1 z+ G v' y4 @ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. Y ]% B+ c( ~; ?
FILE_SHARE_READ | FILE_SHARE_WRITE,) U. ^$ X- Q: r& s# E# D0 `# Z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 x8 ^" n j4 k5 c) F! }
if( hFile != INVALID_HANDLE_VALUE )$ g3 ^4 t0 x0 _
{
2 N2 v$ z/ R" ]; z' b7 ? CloseHandle(hFile);6 I. X* |/ X9 g ^- L* P$ Z
return TRUE;
% x# l+ P& h7 v5 ?) s }
' y; ?3 J! e% w3 Z$ n% F$ S return FALSE;
Z+ k! C/ E" ]# t. o" S6 j}5 C' c S8 U8 P3 p. z1 ]* f/ M- f
. d6 i4 w) W/ N& E' oAlthough this trick calls the CreateFileA function, don't even expect to be( `2 @9 Y' M! ^( i9 z
able to intercept it by installing a IFS hook: it will not work, no way!
1 a. u3 w7 F* YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# A$ T# B9 o) k) l1 b7 z0 D* Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 q/ `% c& C {( k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 Z7 l: m& u4 n( H$ O3 Y1 z2 ^
field.6 X+ w6 }7 o$ {2 n9 Q7 m
In fact, its purpose is not to load/unload VxDs but only to send a 7 z! L, t. g4 i, w' _! s- }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 W/ S; u, {( B) c& M* M3 Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try( d/ \5 ~- o9 y3 E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ J. j9 D2 X; G$ T) v7 r* d
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 x, G# W2 ?- o- @
its handle to be opened and then, will be detected.6 a9 x1 `1 ^6 U4 ^% w- I5 v4 k
You can check that simply by hooking Winice.exe control proc entry point
, i0 U( ?7 M( a% A6 Q- G( bwhile running MeltICE.
/ G. p. [- e8 x; b: a7 G
, y, t$ A8 `/ u, e: M
$ A( A& h* R& H% M 00401067: push 00402025 ; \\.\SICE
L" Z r# V) Q/ M 0040106C: call CreateFileA" s. E0 e' T! J" E% ?! ^. O: Y
00401071: cmp eax,-001
3 t( b2 c0 b6 u9 t 00401074: je 00401091& I3 C. Z$ W+ I7 K' Z* ?- @
3 v! j8 t+ p/ m6 E5 S* S8 m3 N' L. Q
There could be hundreds of BPX you could use to detect this trick.9 O T) m- h, C1 n1 e2 D' |
-The most classical one is:
. o8 K" F% X! P7 ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
X2 ]2 p, h6 I5 k& _ P+ b *(esp->4+4)=='NTIC'
* f& l. n+ D \! ~
\% a# i* c' Y-The most exotic ones (could be very slooooow :-(
; J$ O, g! n0 N/ j: s! F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# d$ O/ z' G D. m ;will break 3 times :-() N9 G8 x; l' ]7 A4 v% J" t6 O
+ n/ h4 m$ M+ f5 x$ e
-or (a bit) faster:
$ @! O2 T8 d! K0 T: |% R" A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& \4 |8 k2 V' r0 V' ?( m
0 p9 x1 N5 K. x) w; S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - g! H/ S6 [0 B
;will break 3 times :-(! q: _+ ^1 P4 S+ o' l
- y% L1 B! S' m1 d8 j' S-Much faster:
" i! `8 D; t2 d& c6 d" c; X0 r0 \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& ?$ S2 o/ ^9 X# k& p- }8 q, o9 `* q1 k( ]2 b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 q. i3 H% n3 G: |" c( P0 Lfunction to do the same job:
: B# R+ _% U |" s3 e- _
9 B/ F" Q, g' s9 d/ F- ] push 00 ; OF_READ
2 f# t% F- Z7 R$ L( B& o* | mov eax,[00656634] ; '\\.\SICE',0
) V- w; P3 l9 L push eax
% F3 _6 K1 K" l) E6 _ call KERNEL32!_lopen
" O7 V; G+ A. ]2 E: [ inc eax
- |* P0 T% X& A2 c% V- ~) T6 F' ~1 S. E jnz 00650589 ; detected
- H1 ]" b* _4 ?. b" C! l push 00 ; OF_READ
1 b# C0 Q. A. O6 W, i$ i- R mov eax,[00656638] ; '\\.\SICE'
# ], I4 Q8 |* F# ~ push eax6 ?3 [, S) f) j2 w3 K. m0 k
call KERNEL32!_lopen; C+ j5 p( h7 M U/ J
inc eax
+ G) H4 ^( Q& {5 d% u9 | jz 006505ae ; not detected
+ k& ^( U) g. t! _" m, {
, M j8 [% t, B( Y4 J
4 C z, m! t2 b7 V2 {/ A__________________________________________________________________________4 n$ n; F- L4 _$ n X- f2 d! G
( T7 R- r0 l5 a* @7 j' k0 H' }Method 12
3 A1 T6 s- x* }1 }=========
% [( L/ u& r* U: w/ p! D+ p( X4 o! d x6 H
This trick is similar to int41h/4fh Debugger installation check (code 05) R( x6 h. M% h4 a. {( C
& 06) but very limited because it's only available for Win95/98 (not NT)
" P3 W; L r7 h: P) M' Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 u2 T6 L' t, r. v D
0 M2 P# S @2 E, r' D8 \& O push 0000004fh ; function 4fh
: o, e) y" D3 b push 002a002ah ; high word specifies which VxD (VWIN32)) Q9 l: e9 n( H$ t3 O8 J( _6 o
; low word specifies which service( A7 } c1 x$ Y
(VWIN32_Int41Dispatch)
: @7 }' h. b% j0 I& S+ k9 P call Kernel32!ORD_001 ; VxdCall, C' i" @& u- Y) ? B$ c
cmp ax, 0f386h ; magic number returned by system debuggers
. W+ G! O) x& n6 N jz SoftICE_detected
. v5 \% |. G- V% m2 r) s8 L; f# ` d# ~
Here again, several ways to detect it:
% b, l7 S8 U( ~" z: t5 t' m
4 r, }0 o- h* C+ J7 M7 A5 t BPINT 41 if ax==4f$ G2 U$ p3 W I
# u) \ c! U! y7 K$ W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. t* X) ]7 V' ]7 ^6 x( V3 K
; F7 Y. j6 i* H9 t- C7 c) `( D1 K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 J ~3 g7 D( p; L: z) a$ R
- Q3 @8 x) }+ Z/ Z8 C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" [6 n# T2 ]& U* E, A7 ^
( V: D" U8 n) U6 e; M1 h" g__________________________________________________________________________
) Z5 U _% [) w1 f5 }- g2 P! B! ]" U! a
Method 13
' x h9 c& y0 [( C" w=========
" Y) b4 }+ p U: b. {2 O) D8 Y4 L6 u$ v; f. b* N! y" [9 ]! ^! I$ {8 N
Not a real method of detection, but a good way to know if SoftICE is% R2 N* z8 ~* K( v
installed on a computer and to locate its installation directory.
2 J* m% p' Z1 U2 X5 L0 ~It is used by few softs which access the following registry keys (usually #2) :
+ I$ e2 S0 L( h
' u# ~" N( F; K* K* D. y7 W0 u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ i$ M* P# f" `: s, q" g5 @\Uninstall\SoftICE3 A' G! r1 r9 Y3 m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: b3 U9 v- C1 C# L0 E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) M0 n$ y0 [6 S0 y0 o\App Paths\Loader32.Exe& }9 V4 Y( r0 h# x f
( }8 } e, M! N9 r9 e
! J2 F6 _6 ~; Y- q# PNote that some nasty apps could then erase all files from SoftICE directory/ |1 x* u# _& Y0 ^; z5 J
(I faced that once :-(- H" O5 V. b8 V
7 E8 Q3 m( A, y, j7 p5 ?Useful breakpoint to detect it:
& a3 c. F3 o+ b, s
- C; C0 N+ n) Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. a0 N( M1 e% U1 [. o" _( D7 ]
9 b6 V! A" F! @- v# A. e
__________________________________________________________________________$ R1 P- i( M- R
6 z) C, e/ G, u& M, k
( j/ E* j8 M) d7 R+ y v
Method 14 ) [/ q/ q, {0 e+ x+ e' R& S- \
=========: Z* H4 B8 t! s, r, a
7 `! E( O, F: R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ ?, B: r2 m5 c9 r. ~7 H; V4 I P& Yis to determines whether a debugger is running on your system (ring0 only).
0 L% U; A0 Y5 A% E" k, }, u1 Q. `' e4 K' }$ i, c( c9 v& q
VMMCall Test_Debug_Installed
2 n: p' B A9 c7 w6 g je not_installed
7 V u0 v4 v% M4 b8 Q6 L- |' b9 X
Z* b' ?( h+ n0 H( T8 _This service just checks a flag.
f$ L8 j9 Z/ e3 m</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡