<TABLE width=500>* w( e! O, F5 I7 s8 }! {1 o% y
<TBODY>
& r& g. x" U4 u3 i5 }<TR>
; G- I2 X. X& }, \$ s<TD><PRE>Method 01
1 h% t2 {; j2 y========= N ]1 z- X: {" A! r) z5 j3 k9 D
! q9 `2 p, H) V6 iThis method of detection of SoftICE (as well as the following one) is7 G0 ^7 l, g5 `' o% y5 Q
used by the majority of packers/encryptors found on Internet.
* u* m3 F' i- K5 cIt seeks the signature of BoundsChecker in SoftICE
' p$ l+ s6 U2 z; R7 }2 }% K" J
8 D3 Z5 l* {& `) ?% u- K' m mov ebp, 04243484Bh ; 'BCHK'; o7 T- B* V N. m2 S; l4 A
mov ax, 04h
, e9 P4 q4 U6 V; v+ G+ i& o int 3 1 O, @" c. d' N$ \( K1 l
cmp al,4% h* ]) M5 T' e1 |: P, D7 e
jnz SoftICE_Detected+ p$ i7 g; R2 J t
! @$ P! P6 ^1 Q2 ?
___________________________________________________________________________$ R! R! z, Z' E K0 X
" N% Q$ h2 T& T) {' o9 P2 uMethod 02
7 s* \; f8 r' ?6 C4 E9 b% F' ~=========6 R+ w8 v) U r
0 ^$ C' V$ x+ K( A+ }8 }' U6 w
Still a method very much used (perhaps the most frequent one). It is used
9 z& |- r9 _% ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& q S3 R$ r8 B4 i1 mor execute SoftICE commands...
- x# r$ r5 |' MIt is also used to crash SoftICE and to force it to execute any commands5 ^1 N' I" G1 |" N2 a$ e$ B, q* [
(HBOOT...) :-((
4 m7 p* A/ I! y4 Z; {* I) ^1 x% w! |: w+ C
Here is a quick description:
! X, h. G) T6 D$ x9 g0 e# E0 [; d1 y5 r-AX = 0910h (Display string in SIce windows)1 @; i; n: ~1 [5 D! r) E# G% T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 N' k& k2 }4 t4 R' q-AX = 0912h (Get breakpoint infos)* s l0 n, p/ D# \
-AX = 0913h (Set Sice breakpoints)
4 B+ s9 l/ `# Y& ?, C3 Z) F-AX = 0914h (Remove SIce breakoints)
2 {+ e1 l6 K- ?2 q+ S& |" l& M2 D1 Y J8 r! i a: R- p
Each time you'll meet this trick, you'll see:
/ {; P; _3 _/ Q/ t* o& k-SI = 4647h: J$ b7 k. W. S6 y0 I
-DI = 4A4Dh
) B* |* ^) F9 Q% k. SWhich are the 'magic values' used by SoftIce.7 A& h7 d8 Z) e z$ W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& P" B W* V1 V. V6 C( A0 s" |" Q/ U, w# s+ J# H
Here is one example from the file "Haspinst.exe" which is the dongle HASP& y g* p, h" |! y/ ~1 c0 C
Envelope utility use to protect DOS applications:
: G% U" ~5 c u8 [& f' l( w/ w; y, H
: x/ V5 `2 O! S# K4C19:0095 MOV AX,0911 ; execute command.2 r+ n9 n) H3 d/ X: E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 Z, n' y, [3 z3 D' r( v
4C19:009A MOV SI,4647 ; 1st magic value.
9 z/ i3 C2 w0 V. r" d" n2 |0 k4C19:009D MOV DI,4A4D ; 2nd magic value.
4 a7 m# @) S& f( Y/ o* p6 p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" Z: W& l! L$ b. D. J9 k" F: D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; k! ]% K8 A) i: Y. D1 B/ A4 L4C19:00A4 INC CX
A- \5 U8 A$ z( O0 s3 k6 Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 w( `! i3 Y; X% c. E- G4 @
4C19:00A8 JB 0095 ; 6 different commands./ u2 a" K7 e7 O$ m+ Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 k j/ s" u3 j- h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' q, f9 Z1 |9 T" m% |
4 l1 F* f. d3 K) O0 O0 S/ J# |The program will execute 6 different SIce commands located at ds:dx, which
2 D* |- K$ P& k; Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% e6 `" @& c1 m1 B
2 S7 v% |; J/ d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. Y/ ?% E4 d, T
___________________________________________________________________________
! v5 Y( X" v$ ]) w$ |5 }7 H% `2 r% _ }4 S$ D
. v: a: U- v) g" }Method 03. l/ V! G' \: R" k
=========
5 l* d- e! H% P5 F' B5 ?& M4 ^2 W& j) `9 {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 j# t: z$ \3 N
(API Get entry point)
% A) |1 y6 u# Q* ^' N/ u
o9 K1 f5 T" f0 p! g @" [ u% G0 U% _3 n. i
xor di,di+ F; B. _/ ~, }' O
mov es,di4 u6 c1 H* ]/ M
mov ax, 1684h
6 H& l! K% w' r mov bx, 0202h ; VxD ID of winice
0 y7 ^. p, O* I/ ~6 K& P int 2Fh- `: R6 J: g* o+ N1 B9 d$ P
mov ax, es ; ES:DI -> VxD API entry point+ b K0 l. B& R2 w8 S# f+ ^( ~: o
add ax, di
3 }( ]. S& N' `2 y8 u2 ?% n% c test ax,ax/ K' z3 D$ h# `% c3 B* i% c" M1 S( O: {
jnz SoftICE_Detected
4 [( E- @# i4 j7 E) j4 {7 ~6 \0 m+ W2 O) Y _+ Q
___________________________________________________________________________
7 R9 w$ f+ s, U& S* W
3 S5 v6 i. C2 P. M# z5 w/ x# GMethod 042 J# E! F$ T- r2 D$ W2 r4 y
=========' i4 v1 `; C4 `6 F* G3 n. R. V3 ?* K
* j+ D7 J2 @5 L- E" h6 X. A Z7 J+ Z
Method identical to the preceding one except that it seeks the ID of SoftICE' ]$ C/ G0 u; m! ~9 ]- x
GFX VxD.# O" a5 w' j) N5 q/ v3 q3 B- g
% o9 m) {+ d5 F xor di,di8 z% g+ k' }( y9 Q6 g
mov es,di
, t" l; J8 D' \: e( B) O$ w8 m mov ax, 1684h 3 {* A4 O: Z& Q' f! Y
mov bx, 7a5Fh ; VxD ID of SIWVID5 W7 ?9 J' ?; W$ |, R
int 2fh
4 e& a6 |; U; y3 x9 h* y mov ax, es ; ES:DI -> VxD API entry point
$ d# i' A1 c! L* k& s* B add ax, di
% N9 _: f" V: K" t test ax,ax% B+ e6 ^- U/ Z# M; k: [
jnz SoftICE_Detected" d% b2 C4 i$ ?/ A" \8 \. K
4 l3 [$ d g+ M. v3 a; T# C& h* E9 W__________________________________________________________________________# `; x6 n! }+ ^ _4 c( |% B# J9 E9 x
1 A/ W) }% P, }. u/ ]4 b% P" S
Method 05# [8 h2 \* R# `& m9 ~/ U
=========: w) u- F, ?7 y3 [6 X
/ D1 S& [( i' ?" F
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 m0 A& |; y0 Q2 {debugger. It calls the int 41h, function 4Fh.
3 @! b" O: Z2 d- n4 `There are several alternatives. ( i. s1 X" M& ]5 }# S$ g9 h
! O ^8 }" m9 d4 y2 iThe following one is the simplest:
) C p/ T3 X1 \6 j% t3 R4 A5 j- v' k
( c5 L, I* p+ t& G# E mov ax,4fh
( u* ]% D1 t7 W2 I; [ int 41h
3 }) F# Z# m. e8 Y; m cmp ax, 0F386* u2 T& U- [. V+ H
jz SoftICE_detected
5 P) D! w t! T1 B/ G, c8 Q
1 E& q7 l# h5 z# {. \/ N* J. ^1 y7 q$ k" r
Next method as well as the following one are 2 examples from Stone's 2 B8 v% c/ a" q0 ^9 K
"stn-wid.zip" (www.cracking.net):
. b1 o& ^3 ?3 n. P% D8 R1 y. ?3 p5 H! z$ E
mov bx, cs A/ C2 v3 Z# Q5 d& t+ |
lea dx, int41handler2) \- K, w( U) a& Q) o
xchg dx, es:[41h*4]# @, R9 n2 R [) z a2 O# |- I
xchg bx, es:[41h*4+2]
$ E# v) M' }9 K, D* m mov ax,4fh
7 i1 w) H- o0 \, c g' c int 41h
1 ~. F1 `3 h2 g, s. N! O xchg dx, es:[41h*4]
]) Q9 W$ Y- [6 m% l8 o: S xchg bx, es:[41h*4+2]
( b5 `' ~) {) T& n* [# K cmp ax, 0f386h
5 L- D5 K7 Y& _/ W) F jz SoftICE_detected
A7 Q% i0 n/ _$ D+ ~6 t! O1 \$ Y$ i4 ?1 K2 M2 O3 d6 y, o- G
int41handler2 PROC
; C8 x6 P2 C! Q' `; X( e' I iret$ ^# ]* c' q$ \7 r) @4 Z
int41handler2 ENDP
, R L/ U& J \
6 w0 P% U8 I2 D
3 ]+ q( R. Q* G( ~_________________________________________________________________________
" q3 v' w, Z4 f
3 h/ n* J; }' o0 i. S1 @2 S& m6 }3 R& J8 [. b0 [7 U
Method 061 F6 i \+ `& e5 r) d7 f2 P8 G
=========
4 w7 R! Y' _4 v7 w
7 Q2 O, _: r1 ^
4 i6 o+ N( C/ d, }4 J, [5 Y2nd method similar to the preceding one but more difficult to detect:
$ k$ U5 c- [7 E# |% l7 R' m
6 T9 Y x3 { g0 {; c
8 j! z+ z0 M2 aint41handler PROC9 x; y( _# n/ ]
mov cl,al
* d" e. Q0 C. k( Y' E iret" G( ^5 p4 {1 j7 h( T7 _
int41handler ENDP6 b: ]6 |- m+ y8 i: f" ]2 P: k% V- a
% L# |# \* V0 {4 @/ H$ B* [
% Q V8 h) l e xor ax,ax& L7 {" r0 n' s% V5 m) ~' V, n
mov es,ax& f( m! y# z5 j$ a$ ^- m
mov bx, cs
4 {) [4 d. R- l( q# `/ v) W1 e lea dx, int41handler
" J) \; K2 |+ ^& f" m xchg dx, es:[41h*4]
+ J# E4 X3 T# B2 e xchg bx, es:[41h*4+2]. k2 E+ g+ U& F) R5 W
in al, 40h
+ @3 R, k0 M5 x4 N xor cx,cx/ d# t; |$ {; S( w* {
int 41h
5 k; ~2 @- E9 B6 N- M8 ^/ g xchg dx, es:[41h*4]
2 p Y) p" M' p7 L% @2 k xchg bx, es:[41h*4+2]# a0 S1 X5 r* \' ?# P
cmp cl,al
) H0 Y$ O2 E- _7 U9 B, E jnz SoftICE_detected
6 I9 s& Z2 f+ F8 j* q9 J% b0 Y" Y/ E0 W/ U( [- t
_________________________________________________________________________
/ F5 o) x% T" Y8 p7 N' a9 w! ^7 Y2 U6 D0 N- `% N ]1 n
Method 07
' `; c7 ?5 i1 Y2 L! Q% l( t. y=========
+ U( r u/ @+ n$ C8 r' F8 I6 p5 U4 l/ B1 L% `: c/ G
Method of detection of the WinICE handler in the int68h (V86)
m0 m. c9 l& V( `! z: D4 L* g; }( M# `6 p, A6 I7 t0 e
mov ah,43h. y% @' `6 g8 q1 g! Q+ s, p
int 68h
8 H6 b' J; ?: S, N; B1 a: E cmp ax,0F386h
% o5 U# C" t% c6 i/ d/ P! X jz SoftICE_Detected
' f4 f# t# n% A$ B
+ j% {4 }3 Y' L2 h9 ?! [* }- D8 q" ~2 Q' G: D2 J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" H. K) s o4 t
app like this:4 C$ }* I0 i4 `, B3 M6 V
# |2 ^: E# l4 T) [ BPX exec_int if ax==68& t- Y4 C8 {* B$ Q& H- ?
(function called is located at byte ptr [ebp+1Dh] and client eip is" ~& T# v3 s% ?# F8 q# m3 K) {
located at [ebp+48h] for 32Bit apps)
" x3 d3 K; t* P- u__________________________________________________________________________! J, j) L7 j2 }$ D6 E; o
2 }1 p4 E: _# u4 f4 U* {) n
2 L1 ^, W$ u3 B ]' x
Method 083 ]: `: O8 `+ N V
=========
3 C/ o8 y1 _4 a% {& }5 s. r1 U; F1 k0 J# r7 U
It is not a method of detection of SoftICE but a possibility to crash the
# B E2 R- t9 C8 w9 `4 Bsystem by intercepting int 01h and int 03h and redirecting them to another! N( h! N# A v$ t+ z3 W* Q5 X }4 k
routine.9 n8 H7 I( V l: p9 ? `( {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 g" b4 w6 Z3 ?8 {: B. i# lto the new routine to execute (hangs computer...)
% I& O' z. j% S- W% X! d1 s4 w" B1 s+ ]/ r P
mov ah, 25h6 {: @# p1 Q( l
mov al, Int_Number (01h or 03h)
7 d% N9 [$ w8 K/ r1 U- W" r mov dx, offset New_Int_Routine- v! H3 X& G- c0 t1 d4 O
int 21h
5 `3 T, \2 r w5 ~& t6 o# U) B t4 ]9 n
__________________________________________________________________________/ `" L( C& c, ]. K' B) w
0 ^+ Z) \; u b3 I h. O
Method 09
! V2 G% b! _. O, k+ u& U=========
6 F/ y& p9 V' I, S- f- N
, W6 @$ a/ C# E, \# \* {% DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% Q6 m- |2 A6 o+ C& |! ]' G
performed in ring0 (VxD or a ring3 app using the VxdCall).
) R3 t* ^) j$ D R/ Q7 q; qThe Get_DDB service is used to determine whether or not a VxD is installed# ?2 Q$ z7 {& ?- d5 T$ E, L6 A- Z
for the specified device and returns a Device Description Block (in ecx) for
% k8 q2 j" P o* q" n* othat device if it is installed.
- l' ^7 b6 {4 W1 C( `& p6 e! X6 U/ j9 |) v1 @4 Z" B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ O) [: o& u Z8 e. x/ t$ n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% B# r& w+ R5 G
VMMCall Get_DDB' C4 U5 n5 C0 k( z* a: r+ T4 o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" L& O0 d1 ^3 q% L" u8 @4 S, U: _6 c9 Y3 W0 W
Note as well that you can easily detect this method with SoftICE:
; W/ |' s0 r7 k. a. b6 ~7 y3 L bpx Get_DDB if ax==0202 || ax==7a5fh1 H1 S! b6 H1 j
2 k4 T2 ~6 u" }0 I( S7 j__________________________________________________________________________ G* e6 l6 I( T8 u* X- l# l" Q
+ t! S. L z3 ]! Z+ C! f4 s$ nMethod 10' `8 G8 x' a& C: a- p
=========
4 @" K! p, r \7 z) \, C# z
/ @, m1 d9 ~* O: J# J7 a0 o2 h=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 ^" q. h4 r5 F" t SoftICE while the option is enable!!2 I( H5 y" g& A7 @" T: H
0 z! H Q) B/ _This trick is very efficient:* ?1 ~9 b: `' \2 {) h
by checking the Debug Registers, you can detect if SoftICE is loaded
5 Q& D! O8 j3 ]8 @8 V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 x+ X6 I$ B( `7 S4 `9 f: H- S7 j" m
there are some memory breakpoints set (dr0 to dr3) simply by reading their! Q6 E" q- h4 x L" [. s- P5 B
value (in ring0 only). Values can be manipulated and or changed as well
W/ m% l8 a9 }/ p, ?(clearing BPMs for instance)
) |9 L( n; a7 V
% O1 R# G0 j, H% e! K$ I8 o8 z__________________________________________________________________________# {' Q- P) C8 C6 [" P& y& o
. h' i' a7 R- h* q h3 k8 w1 R: EMethod 11
% K8 A% o8 q4 L=========0 x8 j2 c: W# {8 K5 q z9 _, O
3 J D8 W1 [4 TThis method is most known as 'MeltICE' because it has been freely distributed
C% K2 A3 M5 p! k4 }via www.winfiles.com. However it was first used by NuMega people to allow
L) [: O3 l9 p ~( ?$ xSymbol Loader to check if SoftICE was active or not (the code is located3 z4 o! A3 l0 w5 a% C& f" r* Q
inside nmtrans.dll).' Q% Z' {1 T3 w- G
: h' A2 `3 c0 [+ CThe way it works is very simple:
! `! I1 c* X- f5 f2 xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 n; t1 O- }5 f/ ?WinNT) with the CreateFileA API.: J [! f ?1 Z2 g& \ n1 B- [4 i
4 d8 U3 z" ^6 j9 w, oHere is a sample (checking for 'SICE'):" F& e# i/ ]6 D- t9 t7 D) d( B
7 O3 J, {# t3 k0 r6 d' _; @
BOOL IsSoftIce95Loaded()/ x5 a* F% o+ A: C C% Z3 V
{7 u/ L6 P7 c+ Q' n: {/ S
HANDLE hFile; # }# }! K1 v5 C2 e& V, E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 C6 \* T1 h+ F! I9 L" y8 O# K" c FILE_SHARE_READ | FILE_SHARE_WRITE,: u) f. Y7 G; C0 `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# W5 x! C5 v# |- g
if( hFile != INVALID_HANDLE_VALUE )( e& I! }) F& K; ~* }: R. a
{
0 z: m0 v8 n1 @) }0 I CloseHandle(hFile);
& ?' B. @ F7 x+ k return TRUE;' M1 H% A& V7 X4 }1 X7 @
}# A2 x* J/ y* _7 K' P
return FALSE;
- G( f1 J+ w% F8 |7 e0 g1 q5 O8 z}
/ d% z! d$ G. A- a
+ C2 p3 C- n& z0 L/ o. nAlthough this trick calls the CreateFileA function, don't even expect to be0 N p) A2 e! {* O# b
able to intercept it by installing a IFS hook: it will not work, no way!! Q& [& d! u4 N+ p5 D6 V' S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* K3 w+ C7 H3 R, A$ Q4 Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 \- j- R# R. o& g2 ?$ @, Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% @- Y* E1 i) Cfield.2 ^. n+ o% G. Z1 s) d
In fact, its purpose is not to load/unload VxDs but only to send a : W; L4 `4 @2 }, c6 h1 W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 ^5 O2 n+ ]2 [2 n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 z5 e, L4 n' E( B0 ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( I# {9 t2 H$ v0 EIf the VxD is loaded, it will always clear eax and the Carry flag to allow
|. D$ ~( z6 _) P% d" {its handle to be opened and then, will be detected.+ q2 t) m: T) Y6 T
You can check that simply by hooking Winice.exe control proc entry point! X& g c$ _0 {& ~# L8 k7 E. L2 ^
while running MeltICE.; Q1 ] N/ b8 j
% q" w$ D' V+ S6 M5 Q
: `$ { H, s- r 00401067: push 00402025 ; \\.\SICE
6 H* j [2 k$ |: X 0040106C: call CreateFileA
9 g N6 Z9 h$ l$ q8 ^* X; h 00401071: cmp eax,-001, ^* v' `7 r" k4 q( b) R) o1 s0 M
00401074: je 00401091% R9 x1 h! l- @- m9 n1 G+ q; u
: D. \- ~8 P0 |4 l, z0 A! j6 E
1 h( p! @+ O1 \$ @0 ?There could be hundreds of BPX you could use to detect this trick.
3 x: a3 d1 U$ l3 A& G1 P-The most classical one is:
: [7 ^+ c( V# E/ g: r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 ~. E) H. G# N% |+ ^& n
*(esp->4+4)=='NTIC'3 H3 Q4 P9 s: K0 k: W; P
X3 V- [6 g: X* f' P. ^( u
-The most exotic ones (could be very slooooow :-(( a2 ]8 W, p1 V' l0 A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 O1 c( K* l( M6 K! P
;will break 3 times :-(
8 X3 y8 ~$ S4 A6 i+ ?" i- J
$ F) c" H3 i$ w5 N! U4 ^-or (a bit) faster:
6 y r8 Y3 F0 _* f' } BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" y% X% e. y8 }0 y3 P
6 L% C1 i5 i* @4 r& {& ]" ^6 s1 C* b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : \! W- d- W# L( B9 R3 z
;will break 3 times :-(1 B+ }: q" {4 e2 b' c& Y
1 ]* x3 c3 T: K- Z" L-Much faster:
+ T* D4 u/ S) b& l8 \+ S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. J) q' T% Q$ u
: C5 b* G* R* ^' k- vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 C9 a+ q. v/ j& l( D/ Q$ Ifunction to do the same job:% y" A) R* z: w' ^$ s+ g
- r8 t" w* a, Q8 V) a" z, d
push 00 ; OF_READ" t# t4 F: u* {" s
mov eax,[00656634] ; '\\.\SICE',0" g9 r9 d# Q5 y, u7 Y
push eax9 J& [. _0 i L- m
call KERNEL32!_lopen
. p% Y2 v" X& g" t/ f* W inc eax( W2 e% V" m- w6 @$ B# }8 W
jnz 00650589 ; detected2 }' X+ s( D4 E4 J8 g; @0 ?
push 00 ; OF_READ
& Y+ C+ P; T# X& j0 b- q2 I8 I mov eax,[00656638] ; '\\.\SICE'
3 K% _2 G+ I; O1 N, k9 [3 H push eax6 ~) h, |% z& e. {8 r
call KERNEL32!_lopen! V* C1 S$ r# G# \( w) c/ ~6 s0 a
inc eax
% R% L6 c' I' n+ Z! R jz 006505ae ; not detected
2 I9 a7 C& y8 z9 T" S1 M% P* x }
0 H% W5 X w H* L' W% L
! O7 ~7 m# F, l7 `% ]9 U2 q$ R__________________________________________________________________________
5 v/ o$ c5 ]/ q( w3 [; G, _& G* T8 O
7 |- y. K, i% l/ j9 G& \# d" hMethod 12
: l0 s- ~. \0 N$ E3 B" u=========
, S" _! m: j- w# m1 c
# X. F- e& L2 q8 P% V& C# GThis trick is similar to int41h/4fh Debugger installation check (code 05
' |7 X0 j% n* e' c9 E6 R' \& 06) but very limited because it's only available for Win95/98 (not NT)
# K7 s7 u4 E0 X- ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo." k/ h2 l. z0 K3 ?7 k2 A
! I) s% q( K0 f: N( n" D2 Y
push 0000004fh ; function 4fh: w! w' ` L3 R5 l! J, H
push 002a002ah ; high word specifies which VxD (VWIN32)5 V: z# B1 b, _9 M
; low word specifies which service
" c1 o" ~$ W( n7 m (VWIN32_Int41Dispatch)2 d, Z/ W7 c5 y) m! d. N
call Kernel32!ORD_001 ; VxdCall B. J3 _! E: \& a2 C
cmp ax, 0f386h ; magic number returned by system debuggers
' v1 E7 f @5 a2 O% @ jz SoftICE_detected- H8 U5 A: h+ W/ l
, w$ l5 d2 }' T1 W! w" P
Here again, several ways to detect it:
& W$ j p0 a2 `! V6 M
+ R) m; |4 @0 m" [ BPINT 41 if ax==4f
: q4 J3 ~3 v& H. W8 T' {. l0 \% H: C; [
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- I) V: I7 E5 i& F% u: ~
0 F( y& s& s' E- b, w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; C# R, Y* b6 [* D( d" `" `8 M) N2 @5 p6 K+ r: y( r5 w* n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 h8 L8 W- S2 B L4 q) v, F6 Q S+ W8 w/ V5 l0 |
__________________________________________________________________________
" W$ [6 o% A, ]) n6 E1 Q7 q- d, P5 i
5 R6 R, o1 P$ O( `Method 13/ d1 p; C/ z( b( Q. {: I# B3 B
=========
3 d- C" P+ g( A' t# c8 d4 {% A2 U/ g; L: ]- B4 J. S0 {, G, l# c
Not a real method of detection, but a good way to know if SoftICE is
3 h: s) z4 r% u% u. k( n- q$ n3 Ninstalled on a computer and to locate its installation directory.
" j* b0 q/ S. \% U& SIt is used by few softs which access the following registry keys (usually #2) :
`: ^! p! y: F! N: `+ n* e) W. T* x; _% r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% ]2 U2 |4 p/ G
\Uninstall\SoftICE
. ^- I1 d5 y% k& `0 N7 @2 f6 K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 q% m; ?* _; }6 ^7 h- S) w% S$ x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& C( _) k+ \. B* y3 d! R+ t\App Paths\Loader32.Exe
: q2 E/ _0 l- r; _0 O0 s; l5 J* i, Z
/ }, Q* d9 }5 N6 _: uNote that some nasty apps could then erase all files from SoftICE directory: [1 v5 E. H7 @ t
(I faced that once :-(
V5 X; j' ^3 { s0 g, P0 M3 e" B I6 b# K' p; z, K# q
Useful breakpoint to detect it:' Q" H1 @$ a( c! ]3 ^
- m$ J0 X" I8 Q) T4 Q2 ~ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% p: B V/ D1 u _- r8 l/ n# K* \% G6 a4 d, U% m
__________________________________________________________________________
. Y6 c* f8 C$ c$ h* s% e3 c7 ^1 i% M0 g; @+ i$ L' D6 _
4 ]+ O$ L9 e9 g/ o8 A3 c
Method 14
7 O) O7 r% p! F) ~; p=========
- v9 U- A+ E/ Z% e& [# W! Q9 t% D2 C9 | g5 N/ o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. g' T4 x. ^( _: I8 o
is to determines whether a debugger is running on your system (ring0 only).
' M% C3 X. U' g
/ ]7 |0 I' Q( f/ | VMMCall Test_Debug_Installed' Y' A0 G, ^4 L4 Z, ~5 F5 P3 h
je not_installed" v0 c8 M. S& }2 J% P
2 p7 Z: H. }( H) p2 _* i. D4 }This service just checks a flag.0 ] n. Q( v) o/ ~0 }) ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡