<TABLE width=500>% _$ Z9 M/ J1 ~7 u1 j
<TBODY>% z$ V' D6 |- w9 m& y s b j7 r
<TR>
0 l0 L* T, Z" C* k; Z/ M2 r( ~4 ?<TD><PRE>Method 01
' Y; m* r& S. y, b% r/ b/ _=========
$ w. {, W t. e* d" G* i% Z q1 U0 J
This method of detection of SoftICE (as well as the following one) is
. r& e, e! E6 T+ u! V0 m( J" cused by the majority of packers/encryptors found on Internet.; i9 f, |9 m! n" y& T9 H$ |
It seeks the signature of BoundsChecker in SoftICE
# q- q' `4 G. h+ Q8 D1 X" R1 ?
8 ?9 \# p& }( ^; } mov ebp, 04243484Bh ; 'BCHK'
/ r1 F4 ^( P' ]/ ^# I4 c8 q mov ax, 04h3 \" z9 S0 u1 }( J& J9 _. z/ U
int 3 3 c; o5 X1 F, p! N* Q* h$ N
cmp al,4
9 l( J1 R) B7 |% L jnz SoftICE_Detected! ^# u1 }$ F9 B2 [- k6 O
* d7 Z8 Q. s& d0 y. S0 C___________________________________________________________________________
/ q1 f8 B2 X3 f: M: _: c- t. F' P" I& W7 B6 X) S9 v
Method 02
/ F- L/ B3 M" ]=========8 \' L: C) [1 X- ^0 _
. o0 ?" g9 W6 }% ^5 X# u8 H+ uStill a method very much used (perhaps the most frequent one). It is used) E! ], V5 X% g. q' Z; J8 u+ D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 T. r) F6 m0 D6 `! ^
or execute SoftICE commands...
4 z9 f) e8 l( Y& F1 r! X, v, @It is also used to crash SoftICE and to force it to execute any commands1 u7 \" l) ? z' v; v& h
(HBOOT...) :-(( ! x8 o0 P* a, d E$ n/ S" E' I
- ]/ d' p; T4 U! o: S ]9 H- \3 XHere is a quick description:7 b0 K* z8 ?/ Q( h5 ~ _$ Z
-AX = 0910h (Display string in SIce windows)( S( l, B7 Q! ]0 i" k% S# p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% ~3 c+ p' o8 A. N
-AX = 0912h (Get breakpoint infos)
' y. k: K* \: C5 N' x8 |-AX = 0913h (Set Sice breakpoints)
8 M) _" W( H/ Q) f-AX = 0914h (Remove SIce breakoints)7 T, Z5 o, v5 |' R% Q: K
. x# w6 I& G0 I4 F c' `Each time you'll meet this trick, you'll see:
4 k, G( z5 E0 G* }: B2 m1 w-SI = 4647h. B1 p& k6 B/ m& z! v) I' O
-DI = 4A4Dh
% y v& c9 X V8 D4 hWhich are the 'magic values' used by SoftIce.
) ]; {7 l0 E, z1 m1 ~) w& |For more informations, see "Ralf Brown Interrupt list" chapter int 03h." n: E! }6 Y8 m! J
' ^) n/ s) Y, H+ M$ S! b5 r# ]( ]Here is one example from the file "Haspinst.exe" which is the dongle HASP. G! K' M! m. c4 P, S% Z
Envelope utility use to protect DOS applications:+ {$ T% x$ y* ^) x# t: \
' S( O' X0 e5 E" [
: X7 y8 x1 w' }; h- f1 p% a4C19:0095 MOV AX,0911 ; execute command.
/ ?4 {' h8 @8 [/ `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( ~- Z$ H; G+ o1 t. t+ q
4C19:009A MOV SI,4647 ; 1st magic value.
7 D; r6 H W, z2 O( M5 d4C19:009D MOV DI,4A4D ; 2nd magic value.
( {. O* h* A( [1 l8 l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: H" b* y! |+ r# F* e7 P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ k- f F9 q: U& e
4C19:00A4 INC CX9 B; g7 m/ b- [6 G
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 x, J+ K5 C* |& f9 a
4C19:00A8 JB 0095 ; 6 different commands.
: M" C8 x* @+ e7 c5 T/ h5 f% D/ M6 m4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, L4 \8 e! `* o' }+ u& b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( I0 p) J) \$ Y8 @ v7 S
+ p7 R; w6 l A7 `# M* s3 L; BThe program will execute 6 different SIce commands located at ds:dx, which/ [. R( |1 _% c' x9 b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." J7 R7 V4 I) L: W
1 |2 O5 S1 K* [+ }! ?1 A# Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 J9 K" t; d, F/ @6 d( C% a
___________________________________________________________________________
; a. I. m# @# _! u* t/ W# H, @7 Q- U
) s( M3 ?( r e v% K9 h; L& i% W0 D. D# |5 ]0 h; d u. j
Method 03
! I8 a9 S# z. r& R=========
/ {/ Q4 {2 M5 @! T5 P( r
' N1 }, y7 j; w7 J4 g& u+ yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" z; Q* O) l2 o6 K1 B. m(API Get entry point)
1 N8 q; K, K' t+ _ P" R
( d; b$ d% g9 c7 P
; h4 G. ]" v# G& b& `7 S xor di,di: ], K+ l1 _* ^0 L3 B/ Q
mov es,di
5 q. C5 I6 l' k* |8 z mov ax, 1684h . J `+ g0 {) h& |0 S/ ?" o
mov bx, 0202h ; VxD ID of winice& o; f) q/ ^& o) ?
int 2Fh9 N2 c# H: Q8 v+ H) y" c8 V; W
mov ax, es ; ES:DI -> VxD API entry point( Q5 L e+ Y+ {0 l$ O1 q( [% N
add ax, di0 E8 }8 s8 _: i+ V
test ax,ax8 S1 U- [% q' M# C! M' |
jnz SoftICE_Detected7 G3 v' @8 K4 t: E
) t) p- D/ l. |% ^___________________________________________________________________________$ K' k0 `2 ~, q5 ?5 ?
2 a7 A4 y X% e9 b; NMethod 040 h( j$ k# S6 C. Y$ w# R$ N: w
=========7 L$ ^( p- @% \* W% I s& v0 [
' g3 {# U- F U, s! a8 w7 _Method identical to the preceding one except that it seeks the ID of SoftICE
/ }# F6 T: L# m7 PGFX VxD.
* [9 |, W0 `6 X3 u/ N
* m! `, r# i7 M/ R xor di,di
2 R0 n5 W) i; R4 F; ^( n mov es,di9 w0 c4 P" o( o" S
mov ax, 1684h - J6 ^, M4 e8 T% V J& I9 l
mov bx, 7a5Fh ; VxD ID of SIWVID
8 d" u4 K& C0 T4 ~: V9 b% w int 2fh. s. B8 Y2 c" X" a3 b# V
mov ax, es ; ES:DI -> VxD API entry point
/ O0 b4 ~, j! V3 |/ M& P' N add ax, di' g! h) [: ]; S1 U4 }* k
test ax,ax7 Y* e$ A, |) ]" X
jnz SoftICE_Detected2 Q0 X' m/ D e3 e5 U/ g- F
+ M+ }$ e: f: { j% g- H8 q7 o
__________________________________________________________________________4 z5 ?* W( U1 d: k* m' l* y! f
K2 r3 ?" }, } T: G9 q& U
1 T$ j0 ] `# A" tMethod 05: _) g4 ]+ [+ }4 ~. H
=========
5 w; I3 v, e1 T6 G: z! t
& L- [ y4 }4 I5 O" |$ o9 e" y/ D$ hMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 y [2 [- F/ B! }/ d, ]5 Xdebugger. It calls the int 41h, function 4Fh.
; D7 ~7 u# N6 s" ^There are several alternatives.
( \/ z/ Q6 g/ U9 T( A* F& z" ?
' ~9 j+ g. k# b3 S+ _The following one is the simplest:
# D7 n! j7 Y* g( G8 e+ M z3 w$ ~9 o: H4 `5 m- H$ ]+ l2 t
mov ax,4fh
V! o& i( B' ?) i- z- X: { int 41h0 m | l* x" e% Z
cmp ax, 0F3863 n6 | q6 w: w3 L, y
jz SoftICE_detected
" _% Z+ C, x7 H. t9 q: N! T+ V9 ^# p9 s- o
$ @0 d. {& S" ]" A! iNext method as well as the following one are 2 examples from Stone's 9 n( \4 w! K4 B
"stn-wid.zip" (www.cracking.net):
0 C% k$ |9 X% S. r' Y% N8 K) a" f2 J$ v5 `- x& U& J) b
mov bx, cs# j5 P3 @/ y$ ^# {
lea dx, int41handler2
. {+ U" r3 x" w& C; J8 G' o. ~ xchg dx, es:[41h*4]9 ~* r2 }2 ~. F% p$ x* ` R' n
xchg bx, es:[41h*4+2]
/ U2 C6 \/ y; i9 Q0 o, p4 i+ ]) O mov ax,4fh
4 l0 G7 A9 S3 ~$ k2 ?: S- I, O int 41h
; y" Z1 S* [ c( Q( Y9 | xchg dx, es:[41h*4]3 ? V- a' C! y$ d; r* G4 r. W$ H
xchg bx, es:[41h*4+2]! F5 J5 Q3 I% _/ K. i+ } J
cmp ax, 0f386h
~ g1 ~4 f, r: \) q" ? jz SoftICE_detected
5 d7 ~; h! w5 B' U% E: @# n! y/ e
5 G7 r% Q6 T7 dint41handler2 PROC
# L" M4 D$ {- V1 y iret
, o b. d4 ^2 G K- mint41handler2 ENDP
% e k7 p; [) y
: ~7 e8 `# h) {; w. E. h! O3 b" a r3 x' w# k5 T
_________________________________________________________________________
7 x7 t6 Y! i# E3 f5 c P" i# S4 i2 j. |' z1 f
# t! }# c2 P! b9 YMethod 06
6 X" G1 ^$ d9 R( ]! A' O=========& @; _( x, _0 S% C" [2 Q
: t4 ~$ `" S$ }# N/ x: W* j% F+ h
; K7 k+ b& m3 ~2nd method similar to the preceding one but more difficult to detect:
0 h! V# m H7 ?& ]) b5 J- [: d
1 w! O2 [- L! Y$ b+ y; F D5 ~2 H8 Z3 `: D0 |9 m& H3 F/ T: [
int41handler PROC
7 D! Y+ X% s7 V% g& e" i, X& ` mov cl,al E p' j {$ B- v: f
iret
0 i7 m2 Y3 Z- Q; I% aint41handler ENDP
1 Q/ P( Y' |' T
7 V6 |' p9 A2 {" y5 @: v' Z+ @7 \
xor ax,ax: g: |: h8 `, Y5 ]3 x# S( T0 }$ a
mov es,ax
/ X8 D2 y$ y( y/ y) B/ ] v) G mov bx, cs7 {, l" L& Q3 k
lea dx, int41handler, `4 Z% i. w$ N2 A. P [
xchg dx, es:[41h*4]
, O* ~. A, O4 F xchg bx, es:[41h*4+2]2 k* S) ~5 R* Y( e5 V
in al, 40h9 v/ [% d% T/ k1 I
xor cx,cx/ f5 G$ y. H5 ]& q
int 41h
2 ]# K. y5 R8 j, Z# p xchg dx, es:[41h*4]5 z. v. u5 x, b7 X( \+ S7 |
xchg bx, es:[41h*4+2]8 F4 E! T7 A+ V T7 m
cmp cl,al3 A7 t; o, b/ d$ h& e' e
jnz SoftICE_detected
% O( o( G1 K# S' V# V/ u
, ?, \7 y4 ?. I& N; H4 K* X* I_________________________________________________________________________
/ h+ Z7 _# R: v4 k. v, P! o
9 z" I5 b) q+ [/ B: rMethod 07
+ Q4 U- G+ _0 z. S=========- K4 v* P9 K* o8 b+ J; `
6 c+ J; J2 } j! A% V( _Method of detection of the WinICE handler in the int68h (V86)+ _. ?7 w7 F6 u: S1 @
/ M l# B) T7 _. Q$ q1 T
mov ah,43h
& h' @- \1 O0 K' F$ t1 [0 P, X int 68h$ V1 x+ @; _- o' j5 d' S/ @5 y
cmp ax,0F386h# n8 j0 V" a- {5 _) M$ r, ]# O
jz SoftICE_Detected. f& B7 ^. O2 L. b7 _1 I
. |: _- k/ P6 z5 A& l2 @) }: ]
* t3 b7 W8 m. N9 S. P5 k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 c) V R2 j7 ]. k# m3 M& S
app like this:; C4 E2 M I& y" n* D1 k
, f F$ B- g5 A. n5 s
BPX exec_int if ax==68
, ?' c' \+ I8 g- Q% u- k. z+ R8 ~ (function called is located at byte ptr [ebp+1Dh] and client eip is3 w# A/ O4 u2 h
located at [ebp+48h] for 32Bit apps) K5 O6 W9 f' {7 E
__________________________________________________________________________
1 @3 L9 F- H4 D% p. W: }$ j
5 B2 N* L4 _! K$ b- G' S% M1 h c1 J% d" X, l
Method 08
) h# v& | Q$ x6 K=========
3 n E+ h: U0 F# N& r
4 j$ r8 I; I& @2 m9 B# |4 gIt is not a method of detection of SoftICE but a possibility to crash the8 S; `3 R. ^6 W" Z+ u: x5 ]
system by intercepting int 01h and int 03h and redirecting them to another
" N R/ e" V8 X% e/ K troutine.
1 U4 }1 x, X* F# g0 QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" i7 W6 X( U0 U9 X9 T1 V4 G
to the new routine to execute (hangs computer...)
. E: s% y' i7 Z2 X
5 P# s0 h2 P6 p' S: x% l mov ah, 25h; t1 Z# B. w5 N2 Q- R
mov al, Int_Number (01h or 03h)
2 o# }" e) Y5 q; ^' u# K3 j8 V8 G mov dx, offset New_Int_Routine
$ Y0 q4 g5 P% s n1 I( H4 o* n int 21h
1 ?2 P& I+ X& \
* Y2 H! i- k* `; M& Z9 S__________________________________________________________________________: b& m$ r: d8 F: n: x5 T c3 ^
8 R+ I u |+ f* f
Method 094 V/ E2 P+ j* Q- w' u7 s& k& |
=========
" F5 j- \0 I* Q) j0 o ~! A; C% ~5 g- q7 S: V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; F) M, H# B! Q. Z2 U& n; Aperformed in ring0 (VxD or a ring3 app using the VxdCall).
) o8 e# O5 s3 D6 G+ {The Get_DDB service is used to determine whether or not a VxD is installed
o( a9 j4 Y+ X8 [" I+ b% Cfor the specified device and returns a Device Description Block (in ecx) for; }! y% i9 H( D
that device if it is installed.5 i' B/ ^ G; f+ P: Z0 t
2 |# J' _( v: G mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 t: g; \$ y( z+ b2 C, h8 ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 Y. L: P" `, i
VMMCall Get_DDB
- w- B8 d# x4 @/ b: _% i- ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 Y! A( v4 I9 {* x
3 h2 ?- K2 o0 P! h9 W# Q1 ^: @, ?; C! x; |
Note as well that you can easily detect this method with SoftICE:. w$ Q" l% @9 b4 ?( U
bpx Get_DDB if ax==0202 || ax==7a5fh& j9 S7 b/ g4 V9 D8 A% x
$ ^$ |0 v4 p M6 t__________________________________________________________________________& G8 C' y2 r+ e0 P
4 S7 e: M* b" {& z6 p
Method 10
& @6 l# A" Z& l=========
. Y: ~' l. F6 |# h* W( W; B i/ x+ Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, q$ d$ L1 p( e! g( g5 I4 n SoftICE while the option is enable!!& o8 Q5 |- N9 O2 o) d/ J# z& @
/ n9 k- k" D* iThis trick is very efficient:
" }- u/ E2 ^$ m* m2 @5 X [, Pby checking the Debug Registers, you can detect if SoftICE is loaded
, _3 V+ a" y: c( A8 M% l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: G8 A# f# S7 m/ ?3 n
there are some memory breakpoints set (dr0 to dr3) simply by reading their) y& @% C# P& z) ^# q0 M
value (in ring0 only). Values can be manipulated and or changed as well
/ h8 ^- b _7 J' v9 w6 E(clearing BPMs for instance)6 Q/ ^6 o/ I; Z* ^& ~
$ E0 r% q3 w, Y7 S! [
__________________________________________________________________________
- v0 L, I3 @/ l: |) ?2 F' W5 B" R" m" f
Method 11
; a8 b W4 \5 L0 `5 R; ^=========
- @& S3 ]/ ?/ N+ r0 E5 i7 w, U! x8 _. N2 _& A4 R+ p* _
This method is most known as 'MeltICE' because it has been freely distributed3 P% E/ @& l' i* F1 l+ o" D0 [
via www.winfiles.com. However it was first used by NuMega people to allow
1 F+ i: Y) a& ], aSymbol Loader to check if SoftICE was active or not (the code is located
1 N2 x( F) x+ Y. Cinside nmtrans.dll).. U/ d3 B& R' x, [7 m
! W5 G0 ~, s% O7 X+ M
The way it works is very simple:
+ x& \, q- O* K6 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- Y; d" q' J P: C* [
WinNT) with the CreateFileA API.9 u0 [; p! ?8 B4 T+ g" u
0 e* K7 w8 c: {6 G8 \Here is a sample (checking for 'SICE'):
& S+ o, R6 I& P- l
5 A: I6 n5 |) x1 b& d) J- uBOOL IsSoftIce95Loaded()
8 H0 B/ B9 Y' {( v{
' X* S9 v% v+ X" M1 G HANDLE hFile;
# } P& F; w5 m) t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
M3 g& r9 O+ G) j FILE_SHARE_READ | FILE_SHARE_WRITE,
% j! e4 D0 p6 c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' u: D, P/ J) [( b5 G/ R# i
if( hFile != INVALID_HANDLE_VALUE )
0 V* I+ ?9 O: ?$ Z! K8 j {
% r+ U6 N( l/ z1 H# L CloseHandle(hFile);3 a: t2 _# q+ }9 _/ y3 O
return TRUE;
5 d2 X+ r% Q6 ?! K8 h) Z }
+ _% p) e8 z, k" y return FALSE;
; l$ F: V |) A4 R9 Y}! L' k5 g! F( U1 F- e* L
% A2 N2 J# H+ i% z' R
Although this trick calls the CreateFileA function, don't even expect to be
( N/ p0 U v) d) V& f6 l& h& cable to intercept it by installing a IFS hook: it will not work, no way!9 S4 v" s8 u1 v, u, l' x) _- m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% E: L' X0 q, i% b* x3 Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 m% A- b% C& j$ l( l) P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 z& I" {4 h) @8 n- B% v7 Qfield.
0 c; b0 ~" D5 V$ P- sIn fact, its purpose is not to load/unload VxDs but only to send a 3 f% u# `$ a4 p% ~# x: R, B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 O: z( x Y! r- I& ]# q5 t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
F/ B3 n/ ], c: \0 W: kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 i& | |: x5 t* hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 e! h( ~% F. w0 O; I0 \its handle to be opened and then, will be detected.- R# y5 {3 L0 r8 W2 J
You can check that simply by hooking Winice.exe control proc entry point
8 a0 O7 u4 y _1 L8 t% Gwhile running MeltICE.7 s; l8 Y$ w* R) ~9 F
7 j7 a$ U2 G3 w. G5 c1 X V$ L$ F" M$ {. `4 _+ X8 ^& Y. I
00401067: push 00402025 ; \\.\SICE
7 M$ Q! k' T L$ i6 d 0040106C: call CreateFileA
, A6 G9 k q8 i j/ E 00401071: cmp eax,-001
& E3 }- \# C" ~8 K 00401074: je 00401091
" y# h$ L( \0 x
$ F: A' b- H! d7 g1 q" ?$ l+ ]$ `( E/ {
There could be hundreds of BPX you could use to detect this trick.
! ?: U4 j0 g3 w1 K+ | m3 O! ^: }-The most classical one is:( s/ a. l# }1 p/ L H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ u1 [* n+ \" U* I1 h4 o1 R
*(esp->4+4)=='NTIC'
! Y; g+ `% H/ c* s' e0 I5 n8 s [5 [% u, }. Z% B
-The most exotic ones (could be very slooooow :-(
7 R0 c9 e& R) a( }1 U& I9 b2 }% J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 k* {3 a, d+ N) O
;will break 3 times :-() k O& H: C- {6 p) |, n3 B. {& ~
0 c0 R# O1 w( L( J
-or (a bit) faster:
6 v! S9 W+ T& i: A3 N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 a; A; G, x1 B, T
8 @$ D2 u' v+ O3 Z- Z+ M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- e C( e" r6 P9 m ;will break 3 times :-(
! O, X, N1 I2 p' S! B+ @
3 B1 ^, i; u" x. k8 O! j) \-Much faster:+ R D( Z6 q, v0 a$ k
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- j. B; I, b/ j% @8 \% k( H
: V7 M7 p4 U: I8 p0 ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& G7 r R3 V9 t- q% G6 H! _function to do the same job:4 s* M$ `0 ~2 @" M. _
# b5 J! U$ |+ R3 [* f push 00 ; OF_READ J& d7 O9 a- o4 u% ~
mov eax,[00656634] ; '\\.\SICE',0) T3 g/ X/ ?) D! w, K/ [
push eax
, C5 S+ K0 q/ {+ b3 N; D0 @4 V! @ call KERNEL32!_lopen/ O- W' L1 m9 P. s4 n L
inc eax" C% ]( Q# Y- u1 N+ `1 ?, K9 p
jnz 00650589 ; detected
3 v7 b2 X! n: l/ H push 00 ; OF_READ
3 [% A- U( K! v; c# k6 {# ^ mov eax,[00656638] ; '\\.\SICE'3 N% I- ?5 M* ?& F( n2 P
push eax$ Y1 ]7 S& O# `0 l9 T: l2 f) p# q
call KERNEL32!_lopen4 p8 h- v }1 U$ P, N0 q: z- E5 D
inc eax: A- J( G! s2 Q6 M7 }) G h) o
jz 006505ae ; not detected
i% O! b- ?7 e
7 \8 ~; B8 |' f$ \& j# {2 ^% a$ l D+ O& p8 z# f. C
__________________________________________________________________________% }- b# V' l, c
- L/ O; |' L0 d7 Q3 d1 WMethod 12
7 i9 `% K5 a% \8 C/ Y9 \' A) ~=========
$ `' w, X6 r: Y- ^5 v6 Q- @- q+ L' a/ T6 n6 A; n5 d$ U
This trick is similar to int41h/4fh Debugger installation check (code 05
7 h1 C9 H' W$ C( @# Q w$ r8 L% P& 06) but very limited because it's only available for Win95/98 (not NT)
: \7 Q8 f5 |& l; s' F' Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ \% u" ~2 _/ G x$ M
# e! r2 q" Z& j5 @ push 0000004fh ; function 4fh
! O- w: @9 T/ z9 ]$ ? push 002a002ah ; high word specifies which VxD (VWIN32) y$ u( w& ]; O. k
; low word specifies which service4 P6 T0 }% S. i! U' m
(VWIN32_Int41Dispatch)
" k( L1 V) {6 j) R8 j call Kernel32!ORD_001 ; VxdCall9 U# h/ x( T% f0 ^ y8 q' G- C- R
cmp ax, 0f386h ; magic number returned by system debuggers! p5 d; J8 e+ p. J* C6 J# ?
jz SoftICE_detected' @. X6 m$ R' F$ z( }! v
. z( ~, W9 K" O: }/ @ h/ R7 G4 [Here again, several ways to detect it:
! C. j+ s5 T* r- V5 a2 h$ Y% Z1 w5 c! P- p! n% h- P& R0 e8 ~; P7 J
BPINT 41 if ax==4f
3 p5 T, |5 k4 Y4 g A" j
# u7 u, A& a" d9 w% L2 x/ @: I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 v" K0 }# l- N9 C9 e$ a& G* ~; \
* |7 n) L4 J% D' ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 |- \5 v2 H; g0 c& P. B' v! x
/ N1 o7 ^0 q, M' @- q% E% a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 }! A+ b; U) {0 Q3 z# F
, s% b2 u# z. k+ R__________________________________________________________________________
2 d$ ]: F' X- F& v5 B0 u2 E& b8 p2 b) }5 W9 H& k
Method 13
% M( c: Q, Q! x4 Y! @1 U=========
4 L$ r2 ?% ]1 q
: C# i3 h. @7 J$ k* s M, c/ @Not a real method of detection, but a good way to know if SoftICE is
9 t2 P0 X% w" b0 ?installed on a computer and to locate its installation directory.
6 n6 V. [( [2 w6 G6 BIt is used by few softs which access the following registry keys (usually #2) :
/ `' ^1 Q6 G9 d9 d L5 I: l+ x8 |$ F# ^; g7 _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- `& M' z. V, P4 A\Uninstall\SoftICE8 _* x7 w, s k0 A- m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! k9 p4 ?: ^! r2 J' p; \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- x- K3 _! p1 \, M6 b1 U1 B0 m
\App Paths\Loader32.Exe
2 L' m$ I7 t2 M. K2 n0 C( t$ X2 p0 A. w* p$ b& }
5 |* B; k @6 k, `7 U6 h+ d
Note that some nasty apps could then erase all files from SoftICE directory4 L# A9 A8 w0 x6 z
(I faced that once :-(
$ U! p+ e3 @& f7 n3 Q. }& o4 i0 D7 u& L8 k$ R+ ?+ N
Useful breakpoint to detect it:
, _% z1 u% P1 F7 G1 y* C
+ F( P) X: B' h6 Q3 n- i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% J# b' d! N9 @1 R+ C
- l9 D- _4 ?1 s
__________________________________________________________________________
' H. u: i0 m* E" `* l1 M- y7 Z4 f- b
& o" r2 M; {0 `: X& U
Method 14 # h( f9 N" A9 ~ N# n: F7 c$ u. c
=========# P6 D3 {* y) f( B' G, n$ e2 D3 j
, m) y( P: @* TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 A9 y' ~+ G) D+ D' ais to determines whether a debugger is running on your system (ring0 only).! I% b( @6 T. I4 I z% ?
$ P# Q, N. Q6 l3 _" E
VMMCall Test_Debug_Installed
9 E" W3 c% V& s- g5 ?3 m* E' b je not_installed: e: a- \& R. C L8 V
- y7 G8 e* C4 P9 x) U- i0 i Q* q. @This service just checks a flag.
+ G: z; x0 k+ V$ W; N1 X% W</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡