<TABLE width=500>5 Q1 k; l1 Q$ {- T+ }- M
<TBODY># G5 P" g9 w7 @: c j- N
<TR>
6 p! c6 M3 }% O: S<TD><PRE>Method 01
7 j" k1 y/ `' T6 Y=========( b4 D* m2 J' _% D t
) s! J5 |7 _3 P4 z0 H0 s
This method of detection of SoftICE (as well as the following one) is, L" L& U' G9 e* I; Q) X4 W' l
used by the majority of packers/encryptors found on Internet.( l/ G' o4 N8 Z( X( Y3 \5 c' R+ b
It seeks the signature of BoundsChecker in SoftICE. X D% B8 J" E8 X8 x! S
' I( X! P5 D1 s( m5 { mov ebp, 04243484Bh ; 'BCHK'# s* o* H6 g3 v/ z3 D' j
mov ax, 04h+ e. y0 n% S. g7 A. C
int 3 + k. M3 P. T6 F" C+ f
cmp al,4
4 C, `! Y% w; a jnz SoftICE_Detected* [3 r$ q C' S% l# B [- X" [* G' T
9 M: y# V5 j; G2 m, M5 `___________________________________________________________________________
6 G7 m/ @ _/ [3 C# J* o7 \: K3 @! o, A5 S) ]4 p- n
Method 02
8 k0 h, X, ]& {7 `=========$ o' V3 i" C( M
% }. Y$ R3 R; h3 XStill a method very much used (perhaps the most frequent one). It is used
2 x0 a% l0 D6 X" i7 d) Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints," @( X6 F3 S4 f; x% ^) ?) r
or execute SoftICE commands...
1 b/ d+ ]5 R& h. r+ r9 T/ B4 G' iIt is also used to crash SoftICE and to force it to execute any commands
6 E8 V( ]6 V0 ?* K2 a1 C! o" b7 d(HBOOT...) :-(( # l& f& `3 E6 T4 j. T/ d
( a$ C; ?+ ~, E: K, W, \
Here is a quick description:( a1 v0 ~5 O: x# \8 K; u
-AX = 0910h (Display string in SIce windows). Q* o- H: A+ D$ ]: e2 g1 [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). k- a7 p* t4 t& ~% b+ T( C+ B3 w! v- W
-AX = 0912h (Get breakpoint infos)
" e& X H |; K: A6 U0 _" R# ]7 z-AX = 0913h (Set Sice breakpoints)$ u3 n4 B2 d, t' [$ ]" U, B% N
-AX = 0914h (Remove SIce breakoints)! d7 w; f5 E# z+ m5 m
0 ?) y2 `7 R) k9 o, ~, E, P3 OEach time you'll meet this trick, you'll see:# U2 L, @9 {) u/ U6 x
-SI = 4647h# J: [9 i: t) G
-DI = 4A4Dh3 \$ c1 v) U+ H f
Which are the 'magic values' used by SoftIce.
k# `+ K; Y6 X+ L: _For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 Q6 Y; D5 t7 k5 T
+ O# p7 M9 j( R2 K1 pHere is one example from the file "Haspinst.exe" which is the dongle HASP0 N' \* x( ?( z, S3 M* T5 J
Envelope utility use to protect DOS applications:
' h# L: I# _# T7 W$ C0 d: C
7 Z7 I2 X' D: k* e, C! F( B
9 X/ ]6 f" h, I* {) ~4C19:0095 MOV AX,0911 ; execute command.
5 H7 }" v! [" F- s& _' p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 g0 }% N$ v! i; z9 U& }; D
4C19:009A MOV SI,4647 ; 1st magic value./ t) u" m- Q) @
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 E/ S& r" M3 M% p, n/ A* s4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 l/ o; b* H9 l9 b$ V' O+ t, }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 u( v# x6 J6 `0 D
4C19:00A4 INC CX
/ [/ m6 e5 C+ A7 w; M" Z$ g* s4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 s$ _9 \( ]" G
4C19:00A8 JB 0095 ; 6 different commands.; s+ a2 B; w4 s% _5 ~7 }
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) \$ J) G f. y2 S4 U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! |3 u& D0 W3 @# G! ?% W
9 m* \+ g- Y/ o0 v+ ]
The program will execute 6 different SIce commands located at ds:dx, which5 e, Z- _5 d- O3 H1 I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 O" B A( Z" M0 f* |/ @0 r% x- ~7 q, P; }% b! L
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 ^4 ]* S1 v0 d4 B s4 U! g3 e- u# t/ Y
___________________________________________________________________________
1 s* V5 K! M" g0 A: ~5 y; M6 S& `7 F6 B, ~4 e$ R H
: d) Q( j! I1 NMethod 03' B v( }1 I# ?
=========
! m; G, t7 S1 h# q. u- _2 ^0 W
) B% s3 i5 H9 [) a6 g! OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& R$ V" X T0 P+ q. r* V, V/ M(API Get entry point)
) N$ R# B8 @! q2 s
T5 S0 R, I& ~- a1 [8 Q" a0 D# b% `3 `% C- u- m
xor di,di, T: J* H( J! N/ E# ]
mov es,di2 M1 t6 C7 |- S! g, ?( x$ ^; w& r! d
mov ax, 1684h ' l/ @9 l6 ? E* x# |. Z4 X
mov bx, 0202h ; VxD ID of winice
! ]* c! p( b, @; z int 2Fh6 H' U, U' R C5 u+ P
mov ax, es ; ES:DI -> VxD API entry point7 `# r! J, s3 Q! D1 U d% [
add ax, di
, b5 h' ?3 |% l# U$ k test ax,ax# w" h. |8 W+ c' l
jnz SoftICE_Detected
9 G# E$ }! j6 z: O, }6 Q
+ D& z0 L4 p$ d/ B- V5 N& L, o___________________________________________________________________________
0 H4 d2 w8 z0 K- `8 h! H
$ ~7 m: H% w: s# ?: V1 [; S2 }, u$ }Method 048 H0 x ]0 n2 f* o" o
=========. ^/ l @! Y% k2 t& l7 K+ h$ Y
! I5 |% G8 K) r! sMethod identical to the preceding one except that it seeks the ID of SoftICE4 p( }$ [/ k$ H7 ~% b
GFX VxD.( j( {7 a1 ^* ~4 y) d& o' ]
- T& q5 ~4 a2 n0 g) a# {; J xor di,di
. T! D: O1 ^, |0 y, k: h mov es,di
& I: C+ Z% s1 M: R: i( T- u mov ax, 1684h
; |+ D7 H/ A6 s* B. U mov bx, 7a5Fh ; VxD ID of SIWVID. P9 N+ a; H; S7 _, q' v1 b+ m
int 2fh
. K w1 H: L" F/ N- @ mov ax, es ; ES:DI -> VxD API entry point
9 p1 ]- r1 m# v! B4 ]7 Y! ^ G k add ax, di
* ?+ G. a; r4 n5 ]5 e5 Z) V test ax,ax5 e* w6 V- x' |: M. [, \; Q
jnz SoftICE_Detected/ _( Z \5 M; \) S2 }7 X
2 v- O; G# P5 `* }" a__________________________________________________________________________+ w- r5 w: L4 p! N1 f! B
( d1 ?2 A3 Z/ E6 G2 L/ k- g2 d
% b, a9 O) Y4 r4 g3 i
Method 05
" v$ c" }7 V! `$ [$ E=========
* K7 [/ k' I0 o6 h" m3 r
, I2 t* p' a( p( G4 m& DMethod seeking the 'magic number' 0F386h returned (in ax) by all system( z1 p! O+ i# i( y6 w; e7 g- W
debugger. It calls the int 41h, function 4Fh.
+ j) ?6 N$ K% NThere are several alternatives. # U6 I7 e' G1 I
1 G m& ]- U, t; z$ _6 _2 u# r' ?The following one is the simplest:
% p3 y" v# |8 o+ V. O; i3 u) Q
/ y2 s5 h- P$ k0 a/ o( J( y z mov ax,4fh# O/ x! J f- U! w4 r; [
int 41h
4 D* `) V- \7 H cmp ax, 0F3860 J; q M9 Y7 H. t/ S
jz SoftICE_detected
% f/ Z- [; r9 @! ], a$ r- W2 ~: y; p
C- W+ Q. z" m& p
( e( _1 s8 z5 l& e/ r& YNext method as well as the following one are 2 examples from Stone's
$ d" I9 _9 c5 S5 e" a* Z"stn-wid.zip" (www.cracking.net):
6 a' J& b$ z T5 B, b: }! L; v$ V
- l- N x$ }% W& `% d mov bx, cs
- y+ E' ] Y8 e! M& G lea dx, int41handler28 K) r: Q3 J. f8 g% P
xchg dx, es:[41h*4]. x4 C; h# l) K$ _& P, z5 A
xchg bx, es:[41h*4+2]5 B3 j& j" \2 {/ o( n8 h+ h
mov ax,4fh
6 @( x: n9 r9 M+ t int 41h
" { ?; M7 W0 D2 d' I2 c xchg dx, es:[41h*4]
' k; f2 E6 W- Q% } xchg bx, es:[41h*4+2]
/ n/ Z! w" P# c2 @) [ cmp ax, 0f386h
. o/ {! b7 a2 w @) N jz SoftICE_detected
6 N7 T9 b1 C2 b+ j2 q7 X1 n# W! R H' P% p8 _
int41handler2 PROC/ r. [4 U* r2 E6 Q3 w
iret
& w `; ~) J. aint41handler2 ENDP2 P" C) @/ ], O$ Y5 E7 B7 |6 J1 E
# m, Q' r& y: U5 b4 ^7 |" \3 j, P
_________________________________________________________________________
; x! ^0 k1 j$ x. y
0 C% i2 |9 Q1 V! Y/ }. S5 A; q; C7 j, @. o% C" o( s
Method 06
1 O3 n8 z: Z- w6 B=========; `& q1 ?8 k' v
9 c# L1 a7 c/ H. O7 L+ j0 E* f
0 D# u2 f8 T: \% [; T) p
2nd method similar to the preceding one but more difficult to detect:
% ]" E1 ^/ F$ i
2 f# v M0 C: ~: w: P
, ^2 `) J4 y+ D7 F& m: f' Pint41handler PROC- D9 n9 N0 l! K
mov cl,al% Z5 G/ W' ~* p& `+ ?8 h
iret. a" E) x4 @# x2 ^7 Q$ P
int41handler ENDP J6 _+ u! M `% M7 z! X
* K7 a5 \2 A1 ` e+ D1 h# c
' e/ Q% n0 _" O: G9 I7 s* w: J4 e# E) T1 j
xor ax,ax
$ t# f" D- Z' N5 J mov es,ax2 c6 ^4 P; N, R
mov bx, cs1 u3 }2 N. X% u- K6 k. L: E! t0 ]
lea dx, int41handler
; r( c7 _1 \* L7 e# T' j' | xchg dx, es:[41h*4]
% A C8 ?6 }- m1 W% Q4 Q, y xchg bx, es:[41h*4+2]. M4 S0 b' R5 Q* y$ i: Q
in al, 40h" Q( o: _. D8 L' ~' E5 }( \# I
xor cx,cx& F- b' N4 K3 w3 b6 h2 D; u# i
int 41h
0 Y) p5 u& A @1 \+ `5 C& y6 |+ D xchg dx, es:[41h*4]1 v8 I1 f( @7 I$ ?+ y2 t
xchg bx, es:[41h*4+2]
& k7 P6 q6 w% I+ K# p0 Q cmp cl,al
2 U4 i1 ?5 [) ` jnz SoftICE_detected" F% W5 g6 I6 Y; V4 ]
" H( N) i9 X% u7 U0 c_________________________________________________________________________4 M0 ]! F" D0 v m) ?
: [: i9 k# ?" S( X; b9 d# y5 }- Y- y
Method 07
$ A- I! h: n/ X! ^+ D; j=========
4 V1 z& H, }6 G( [# q9 w# D# `; ^( J2 W3 w
Method of detection of the WinICE handler in the int68h (V86)8 Q" }7 S0 b0 X3 K8 o9 R9 P
5 x* x# z! Q# J8 {* n
mov ah,43h
8 f; y5 M8 [, T' u9 \/ e int 68h
A; h; d; R# x; _/ v$ y cmp ax,0F386h9 l$ }( J! z( Z
jz SoftICE_Detected t. M$ `! _' Q% z2 a+ E
0 m- K" h) s$ ~ f4 X& S3 j8 y& u( ], p7 g& B3 N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 Y1 T6 C. d& W( H6 B
app like this:) j4 h& `: F. v7 E( g
$ F* \. {4 }3 ~/ }( I0 }" \ BPX exec_int if ax==688 |$ {% g. n' @) Z- L+ D, q
(function called is located at byte ptr [ebp+1Dh] and client eip is# Y& Y; t9 j) \! e# ], h
located at [ebp+48h] for 32Bit apps)/ ^: [& h$ N2 G8 v* }* K" |
__________________________________________________________________________
3 d8 b* R$ X% A$ H( ]- m' ~2 V8 B: y7 O' A
! y! d! w O2 q: V! Y
Method 08
N0 J( N) @9 O* N) D" j" @$ I% F=========8 ?5 b+ t& E# Q5 ]
( R% Y" i* _9 h OIt is not a method of detection of SoftICE but a possibility to crash the
9 o; F4 f3 K9 d7 a4 u, i1 Q8 S8 Qsystem by intercepting int 01h and int 03h and redirecting them to another2 s4 d# T3 L) k3 ?4 x% s0 ?$ M0 R
routine.
, i2 \+ M# V( M+ V- aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 A9 A$ N% ~2 m3 Z5 e% t% c4 h
to the new routine to execute (hangs computer...)& W. t9 u( O) N
$ ?' \9 y1 c9 }) L* ]# T
mov ah, 25h
3 `6 Z7 C8 |& z mov al, Int_Number (01h or 03h)
2 B0 }$ N' v6 T4 F& U! X' ? mov dx, offset New_Int_Routine1 Z) D& x3 P% u9 Z+ B
int 21h
- f5 F7 x8 w( |! j8 O- ^# a8 j1 ^7 C6 _! J8 l0 J7 \- N
__________________________________________________________________________
: ?3 m; R' l l- K5 b% {6 X( I' Q# M0 L
Method 09& ^0 _! T/ c5 U- b! ^
=========3 N2 j- p( O! J; @
) z9 ~$ r3 K5 J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& H y/ t/ N7 T4 R1 x" M3 ~
performed in ring0 (VxD or a ring3 app using the VxdCall).' C4 z. R* @$ a9 i A
The Get_DDB service is used to determine whether or not a VxD is installed0 w5 u, x* b. e3 W- @ ~$ k
for the specified device and returns a Device Description Block (in ecx) for# {' q2 V$ o( e) `
that device if it is installed.
* {+ s, q1 g( J' R7 C) a/ f R6 D/ J5 x9 O+ P# d, ~2 ^ D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* c" I& e c9 Z+ d3 c$ c+ Y3 n
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 ` l0 |8 }$ ^
VMMCall Get_DDB
- q4 l7 S. y0 t. p, r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# Q# s) Q. {3 h5 B5 j
# h9 m: c! O0 y/ E; ], NNote as well that you can easily detect this method with SoftICE:
+ z6 V4 o8 k, B2 M bpx Get_DDB if ax==0202 || ax==7a5fh& w- N" r, B1 o0 X9 f
& a7 C6 l5 C$ U# c! Y__________________________________________________________________________( s! \0 _9 Z' W8 b1 \* ^
& W0 A: n2 E9 v7 F: t/ [
Method 10) P8 r; _! U* W- I- b; x
=========
Z% W( _" s# P- _
% o) A& O+ o/ y( G0 Q0 g=>Disable or clear breakpoints before using this feature. DO NOT trace with
% O6 T5 N( N: D) ~0 m( D SoftICE while the option is enable!!; N& [/ h7 n& {' N
9 n7 `0 Z; k& r9 P% S
This trick is very efficient:( ~1 b* r) B. w0 A
by checking the Debug Registers, you can detect if SoftICE is loaded2 v! A! c) t. k- j6 L
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 c, l$ O! f" {) L
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 t5 ?! p6 a( v1 w: J7 S1 Rvalue (in ring0 only). Values can be manipulated and or changed as well& Q' d9 |6 V% x4 B' g( A- S. O
(clearing BPMs for instance)
0 |4 x, v1 ?" I- ]* f+ ]; v5 W6 T; C |
__________________________________________________________________________
/ w% O# x5 S5 V4 r$ o. {+ s
+ c, n/ t) K3 Y% w8 w' u* OMethod 11
# W- ^5 P0 {& Y( f=========
. ~* a" V! \/ h1 G) `1 ?2 y$ n4 G0 s4 a7 T6 Y; _' N2 c
This method is most known as 'MeltICE' because it has been freely distributed) C9 G# Y7 F% g. p
via www.winfiles.com. However it was first used by NuMega people to allow
" l0 ~6 r4 `, b6 @' j- V0 L" O/ gSymbol Loader to check if SoftICE was active or not (the code is located$ Y7 x# o3 n: N" }
inside nmtrans.dll).2 D7 W- c% L' D4 ]$ p' M9 T' ^6 b
% o: i0 N5 w2 t. EThe way it works is very simple:( c- n/ G. n3 G% G% o A8 m' K
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 E E2 I" w7 f/ i
WinNT) with the CreateFileA API.% B9 O" u! H' m5 l* Y, [3 e" [7 Z
) n& @0 |1 y: ~' G; o: q8 k
Here is a sample (checking for 'SICE'):# Y# b$ A/ {4 J7 W# Y- p6 I& G) v3 x
' X/ J; M) n1 X! a2 l T
BOOL IsSoftIce95Loaded()
% g1 V+ ^4 l+ h{! J! L8 K0 l3 a @4 P6 F6 \1 ]
HANDLE hFile;
S S2 y, _9 G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, q1 n) z) s) Y% E1 ^! X# E0 A. y FILE_SHARE_READ | FILE_SHARE_WRITE,9 Y$ Y3 y* V# U' {9 v# I3 f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 ~& ^! E8 f; [8 l2 M% { if( hFile != INVALID_HANDLE_VALUE )2 X n! M* ~* |. H: |
{( ~% x" z2 g) f8 v
CloseHandle(hFile);
" w$ q( w* `( `$ y2 e! J! w% \8 ` return TRUE;/ o0 e8 o, p0 k. d ]- A
}
' q* d1 K5 i% C" M1 q& W return FALSE;% l+ [ h# @( {9 ] P: z
}) M5 k9 I" K5 G) K9 ]6 k2 z
3 y) A* _% Z* s$ ?9 p3 ]
Although this trick calls the CreateFileA function, don't even expect to be
0 \1 ]0 k& W* D- b* W0 A: L% @able to intercept it by installing a IFS hook: it will not work, no way!. v7 m/ a( O( z) t: j2 n: z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( G/ Z( F1 Q- D6 P w9 {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 W- g" S' |$ X$ B. M4 ~# O ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- I- O. g [: s& \( Kfield. s* w9 V3 w7 n3 q% {
In fact, its purpose is not to load/unload VxDs but only to send a ! t4 u+ n6 d+ v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 W2 |# d: ~ c/ mto the VxD Control_Dispatch proc (how the hell a shareware soft could try. T- g5 Z4 t7 `) ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# ?& p2 M! }& J
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- e% Q" x$ z( ~( |9 j! a3 dits handle to be opened and then, will be detected.8 J8 n4 p& z. e% N r
You can check that simply by hooking Winice.exe control proc entry point. Y1 u. {8 T, [" F% i; D6 `. g
while running MeltICE.
# F" V9 ^0 D. D; U( z: t5 p3 M- M& w# l8 O% V( q
6 _/ M* o3 D' j 00401067: push 00402025 ; \\.\SICE* z1 w, W; [% Q; }% N! W/ a* k
0040106C: call CreateFileA+ I, G# \* ~: h" Q: p
00401071: cmp eax,-001' W1 p/ O7 W: }0 o% F
00401074: je 00401091
1 I! q& y6 z, F4 m2 `. G1 q% `! ?
: n. S6 j& a1 _
c3 Q2 _& _) R; M' ~5 VThere could be hundreds of BPX you could use to detect this trick.% b$ K$ ]' w0 s' {+ ~* B; G
-The most classical one is:4 t& Z, Z8 K3 C- k" y2 T- e- ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# t+ y! Z/ e# I3 a *(esp->4+4)=='NTIC'" ~5 _; U' M+ \) X
7 o' R! c# e* U4 ^9 a5 n; _
-The most exotic ones (could be very slooooow :-(- m$ u' m5 Q$ K3 h2 p
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 z9 e- l2 z4 S: [1 N
;will break 3 times :-(" U4 z/ @) g3 x7 i/ R
: r& E8 F4 k& | x( F/ q- O$ h$ d5 a-or (a bit) faster: 7 {# Q; y% q. q. P- I7 R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ V( A) W, \ N, u
/ w8 H9 x& K# q1 V: x& ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& e% w T' u) h' S ;will break 3 times :-(
3 v( B) t# G f; h% T; `9 ~" [1 t4 {$ e% F8 |0 O% r; l/ T
-Much faster:
( p$ k+ R" q' H4 `0 l5 G+ L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# N/ [- L; u& U4 A' v, z* f( x! ^( q; x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 n& [3 c' r& I+ cfunction to do the same job:4 f: p/ @0 m# I/ z! V1 g0 M+ W
Y# X' u6 X! p% V push 00 ; OF_READ
+ N; b, C, K' @1 u. @ mov eax,[00656634] ; '\\.\SICE',0
! m/ s7 M" v, |8 k push eax& A, d5 F0 B' z$ ]( d
call KERNEL32!_lopen1 H" X/ l9 z( K+ x! o" ^" w+ J# `
inc eax
4 H' ?/ a/ t) ]7 E# b jnz 00650589 ; detected
/ o( ^8 h/ {+ v5 T/ N# E" { push 00 ; OF_READ
; i& q; Q- f! b mov eax,[00656638] ; '\\.\SICE'
. Z) z/ b m; q2 E6 }' g push eax2 |% x2 X: R" _! h7 {' q
call KERNEL32!_lopen$ l! s- q" G0 A7 X3 u0 v
inc eax* q" _1 l+ P% d! c1 w
jz 006505ae ; not detected
8 [% c" Q! [3 ?
2 n" ]- J6 ~% B, T0 h0 _8 |/ h9 p6 |
__________________________________________________________________________$ |- U" M; g/ l4 b" A+ k
+ |4 ?: [- f! Q- M; l* k6 z
Method 123 C: E1 M. _8 g# ~7 f! S7 q, P# C
=========
0 k/ h; d P6 g1 k
& r$ n) `7 N1 {$ G) M( R6 B# \& |This trick is similar to int41h/4fh Debugger installation check (code 05
, j: n7 x- L, z' `' ^! [/ |& 06) but very limited because it's only available for Win95/98 (not NT)- J, G. N1 \2 S" A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 f6 @5 b) {& G# c+ j7 R
0 R4 p8 E, c4 j% g- y0 \6 o: W push 0000004fh ; function 4fh+ |4 C5 b* J7 M1 ~. Q; M8 K& E, M
push 002a002ah ; high word specifies which VxD (VWIN32)2 S7 O' G0 k2 H6 i; H$ N
; low word specifies which service9 T" I) g* E) I) v: D3 S
(VWIN32_Int41Dispatch)
; r( }1 x( b& Z1 e call Kernel32!ORD_001 ; VxdCall
" r4 d- }+ B" W" J cmp ax, 0f386h ; magic number returned by system debuggers
- k2 {2 t2 d( ]% V' A7 z jz SoftICE_detected5 a0 ?0 |7 q. W4 ~# j
0 z' v; n. q* F ^8 o7 S1 wHere again, several ways to detect it:' _# ^4 h) h( i9 g+ w6 w' H
3 l+ W6 b. r5 Y' z" B3 h/ @
BPINT 41 if ax==4f
$ Q, Q k# B& I4 N; P) i: f
) @+ A1 E2 U1 @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 g7 _2 z$ A, Q- W
# p T! s# N* p7 q: c( C6 g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, W: T3 k3 Q. B) f/ f/ [: A( n% N7 V4 l+ r6 Y& P- V8 s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, |& g' _ `$ H& O; I" m
" f. \# N) J: U0 ]__________________________________________________________________________* I: G' q" b' R& [. e
) @/ d; {; e8 j9 i8 P, g, V
Method 13
8 C* w- m5 ~) D& t9 Y B3 ?( O7 ?=========. g6 d6 U* P1 f8 c# \- T& g
! d! _0 l ~& Q. yNot a real method of detection, but a good way to know if SoftICE is; i/ a3 ?9 ` s3 B( T
installed on a computer and to locate its installation directory.8 M7 V7 p+ S' M# b6 I5 O" ]6 I; P
It is used by few softs which access the following registry keys (usually #2) :& `2 W2 ]8 _0 t; I& d, I0 R
" S1 l2 l8 X( W- I8 ~& h1 r7 H2 V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! ?( M0 `5 N l# M; B\Uninstall\SoftICE% {; M5 l6 R/ e. h6 A9 b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 O* g0 R; f9 T: }+ B" x3 E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: X+ \0 K( s. H4 n+ p
\App Paths\Loader32.Exe
/ W }: W0 |' s4 ]
}# P% _' x' C7 V7 D+ S
; E1 `* {2 K; Z) N0 M/ fNote that some nasty apps could then erase all files from SoftICE directory
- c; }9 R8 N7 {# N: U' @. g(I faced that once :-(7 H& ?( S) d; f8 m/ ?% c: S
* D: N" N, [5 J& O/ T! k5 A* o
Useful breakpoint to detect it:+ f t7 \ `6 v8 i( e- Q! @1 Y
$ R+ g, G( W- i: \
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
J* e# Z" {; Z+ L; S8 `8 v" F5 l6 ~! L% ^$ i' [3 I
__________________________________________________________________________4 U. D- o" h5 a4 G) |4 j* j$ G H
) l/ W" C7 S% u) Q8 d8 ]% ~( U& k# c1 _: L2 Q
Method 14 ' v$ y3 N4 F1 Q2 ^
=========: Z; n9 K& G2 u( X4 ?+ C ?/ n* Q( U
. d9 N+ Q$ s' H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) ]4 M& b: I$ H/ P. C/ f% ?is to determines whether a debugger is running on your system (ring0 only).: ~' K1 m* V, q# u$ O( G
8 A8 Y$ \: b& I, }$ ^9 ~- Z4 L
VMMCall Test_Debug_Installed
# B; S6 @+ C. f4 v je not_installed/ S, B8 S& j! c* a' P2 c
- b9 i+ p/ n3 E/ L
This service just checks a flag.
( M8 x; l4 P4 Z- ^0 p</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡