<TABLE width=500>
% u5 \7 U8 }0 t0 n# U& n<TBODY>% O1 W" u# O6 r) E* u% H
<TR>
# Y3 |! v$ V' l5 H- W5 @. s) h$ @<TD><PRE>Method 01 * w m2 \) `# `% i+ A
=========+ {. `( V! ?3 J k6 R# S) @4 X4 r& U
% g0 w8 ^. v; F" a! UThis method of detection of SoftICE (as well as the following one) is' ]6 v6 N4 g! p) T e
used by the majority of packers/encryptors found on Internet.7 m7 u' {) [! {; ~' x8 A
It seeks the signature of BoundsChecker in SoftICE
1 m+ x: z* a6 W+ ]! s$ r. Y$ p4 O T1 R7 x% k
mov ebp, 04243484Bh ; 'BCHK'; [, a& h; d3 _
mov ax, 04h
+ b! s3 k$ @; |( @9 N int 3
: \) g G6 _# m6 I3 E% c cmp al,4
! R3 H9 K7 B# U1 x* j' b' J$ T- h$ R jnz SoftICE_Detected
' W! |6 p2 e+ j9 w8 ]% L/ W$ m+ N9 g" M: u" X# A: m3 {5 ~
___________________________________________________________________________; ~/ X% o1 S- N! C: B' `2 v; X+ O6 `
2 H6 D) e$ {7 c- D' JMethod 02/ u" j5 I# |0 w" H* C7 J& U8 E1 P: N
=========7 j7 ~1 N- D5 }! Q
! a( \% K, l; O6 w0 y3 e) Q, b
Still a method very much used (perhaps the most frequent one). It is used9 w# W) H4 w2 ]$ l& `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( m" G7 C# v1 Q" {8 N4 x+ A: ior execute SoftICE commands.../ z0 x* f$ s! ~9 C% z
It is also used to crash SoftICE and to force it to execute any commands
% p% E5 |& h6 O(HBOOT...) :-(( : \& ]8 C: B' A2 A3 j+ e
4 b, a' g4 ?7 g3 d
Here is a quick description:* p: w9 A% H6 L b
-AX = 0910h (Display string in SIce windows)2 ?) ~5 S* W) h2 O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 W& m3 E0 E2 y6 W* H-AX = 0912h (Get breakpoint infos)& \ z# d% g( y+ B* G
-AX = 0913h (Set Sice breakpoints)
9 {% U( u& {* [% Y-AX = 0914h (Remove SIce breakoints)
$ b# k) C$ Y4 K5 e( M8 y$ k. |5 p7 M/ O# l1 D/ c. G8 o' `/ h( d
Each time you'll meet this trick, you'll see:( l8 S+ G0 q: p) [: ]9 X/ @- ?( n
-SI = 4647h
( I3 K9 N' H& i& U/ q4 B& }8 ]3 u-DI = 4A4Dh4 x5 L1 x" [/ Y; U) b
Which are the 'magic values' used by SoftIce.. a9 o/ W& d6 j4 [8 g5 |. J1 N: u# e. g
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 h5 A: J" w8 w
4 N# z$ _5 b) O8 i3 rHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 B% r2 ?, A4 JEnvelope utility use to protect DOS applications:- ?) |- q! E1 ]% D
4 K" O2 M; H& @3 [2 q" [$ w1 c6 |1 d! _
- S4 w( ?5 ^% T/ T4C19:0095 MOV AX,0911 ; execute command.
8 }4 j" C: V' T6 t9 D6 |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ |* G8 G; e) g6 o4C19:009A MOV SI,4647 ; 1st magic value.; ~7 L2 L* {' i W- m
4C19:009D MOV DI,4A4D ; 2nd magic value.
; L$ ^& d# @7 ~3 P: @, ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). R0 n& M8 m+ j/ h& C* {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
a! K: z; K3 i3 o# A; @. }* c4C19:00A4 INC CX" h+ r& B1 Q5 n7 p# S- E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 s0 U: r# w* j& z# J
4C19:00A8 JB 0095 ; 6 different commands." g, U5 ]7 T; t% }
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 U' |; a" w" E& }2 w& J2 ]/ P' R
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 I% q( x6 o: w% W3 k
8 F5 K: m& I0 ~6 \8 F9 Y7 ]8 |The program will execute 6 different SIce commands located at ds:dx, which& g) d6 n+ Y' `. W
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* p/ P; o8 y: _2 S. M
2 G1 D$ c. q& i; \4 H/ K0 i x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( F1 U( z& }) \( W! f% D
___________________________________________________________________________
- j O. \# m+ D* Z" t5 }
2 b; s8 E7 P: ?- r5 Z* v1 i
+ O$ B1 x4 A& f$ SMethod 03
1 M! k1 o7 H5 N0 x" _! g=========
* p# E r2 j# F# Q! w, ?( a1 p) D0 a& w) J. ~6 \ A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( Y" D) X; g3 B$ P. v3 e$ d0 y, n% y(API Get entry point)
- x8 f' r' ]9 A- t, `+ J
0 s: Y8 O3 a5 @, b' Z! Q0 h' ]
5 P2 d/ S" _3 k6 N8 b& l H0 y xor di,di
, e6 d2 ^9 f* |) v: ]6 ? mov es,di, d) H4 W% ` U8 B6 V
mov ax, 1684h
2 Y9 X$ Z N$ } mov bx, 0202h ; VxD ID of winice. K* [% ]& L% ~' B7 W
int 2Fh
: j: P p; M$ G5 | mov ax, es ; ES:DI -> VxD API entry point
! U6 ~$ H6 b& p; l; e2 | add ax, di) |6 j. ~/ W9 N) W# |% s4 }6 N
test ax,ax$ y7 d* Y( i0 k/ K1 c2 z$ `5 h
jnz SoftICE_Detected
$ @% e) t4 Y4 G! @) x9 {3 L+ Z6 I1 N% ]1 q
___________________________________________________________________________ N3 T c+ [2 G, \( i
8 L2 }- ^7 I3 {: L
Method 049 P6 {; @3 z( ^7 u. S$ K
=========
& _) B. k+ i; A/ L1 `. x3 Z4 D/ H) \3 \& M8 i
Method identical to the preceding one except that it seeks the ID of SoftICE" N, Q8 T2 b; P9 {
GFX VxD.
H* W9 _ Q8 M' R& I R$ D' |1 I4 W. h" p* I: c: b7 V& z
xor di,di% a# z' p7 Y( n$ m" Q" S
mov es,di
; O0 I9 g) `! A mov ax, 1684h $ Z- F) e; z# A) u7 e$ N
mov bx, 7a5Fh ; VxD ID of SIWVID
$ V* N) w$ h$ n9 ^" o int 2fh, V2 J& ]9 q0 T7 o. D8 j7 K
mov ax, es ; ES:DI -> VxD API entry point
+ P: C+ y# F: [$ I add ax, di+ h0 D9 @7 S' A B+ C6 n
test ax,ax d8 ^4 h8 R/ l6 P R
jnz SoftICE_Detected2 X3 b8 L* E, ?0 [2 g3 U8 y+ w) d
1 \& _$ ~4 \8 r' k$ I, I
__________________________________________________________________________0 b k7 C( u0 S' l
" `, Y: P; |* n. w' }& C" u* t2 I+ @, O: D) r& a
Method 05
3 C5 O7 u) G, e: L/ P. \4 z=========
) n6 N/ Y6 j8 L6 K/ T! j
, R( a3 i. G+ q$ \" ^$ IMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 W- k) U* {2 Z
debugger. It calls the int 41h, function 4Fh.
! |7 z2 a) Z: q2 h$ V$ W$ g% \* |( EThere are several alternatives.
) [# R. `( f2 u8 G& l& Y
, O- _! v5 H; s! d6 b1 OThe following one is the simplest:+ S8 r+ V5 i7 x% [
7 F$ @( {; d( n- l4 O: U
mov ax,4fh) ?( \* N6 o5 b$ N" P+ Y/ [
int 41h
5 z; S; P- M" M8 u4 m3 d cmp ax, 0F386
6 _# C) F1 _' \6 L) L* p1 [! b jz SoftICE_detected
* ~& p5 c, B9 e! f
; P4 s0 ?. e2 n% I* s. M
' H9 |7 n; L) q C/ H: m, DNext method as well as the following one are 2 examples from Stone's
+ f9 X$ }5 n# S. ?4 W"stn-wid.zip" (www.cracking.net):; t7 t+ t I$ A7 G& F
3 C6 _/ _" J. h: c mov bx, cs
3 v) R. R1 S) B! n lea dx, int41handler2
% N6 O& o" u9 B xchg dx, es:[41h*4]
! ~$ j8 u @# D& h( l0 U xchg bx, es:[41h*4+2]5 a' P6 f: g) ^# B8 ?
mov ax,4fh: T) Z) D. D( ?9 r \: t: a3 a
int 41h; Y! a6 m6 L/ K9 x: N
xchg dx, es:[41h*4]
J5 K( X8 h# { xchg bx, es:[41h*4+2]8 x; j- r. Y; A
cmp ax, 0f386h
9 A7 o( v: Y6 `: v jz SoftICE_detected1 @, m$ N+ t8 S& X* y
6 e% l8 E+ g9 b, eint41handler2 PROC+ B$ w3 e$ N" t* z: x
iret
9 a! U) |& k; D4 cint41handler2 ENDP( B4 b9 t. i. h
" o- s2 R- A b% f7 K
5 t1 U5 s. _9 Y5 C/ F_________________________________________________________________________
6 ~4 ^. {7 s# u7 B' ], w t. [9 n3 `, }3 T( s$ H3 L9 E% Q
& W2 g$ w' w$ h9 T5 ?8 FMethod 06) w, k! P9 q: T! x& g
=========1 H: i( M3 ?$ h$ h7 Z9 m) I7 P
8 M3 o+ a4 B) m" ?3 g! s' G4 y# \) c
) g- w' v& k, ^: H% h; c1 N- b2nd method similar to the preceding one but more difficult to detect:
5 g4 c0 ~2 S7 @0 z& q. a0 P0 \ p8 W+ z) O2 Q
! P9 U: U* p% z6 |, X3 d+ Hint41handler PROC
4 L. m* \3 I; D2 ? mov cl,al' @8 k3 `2 J9 `! l/ x. _, I% ^. i
iret
. Q4 J; E2 j Q2 l8 \& Cint41handler ENDP
) w4 l& s) w M( U! g
# W. @0 Z: [/ K
; A" H2 I0 U7 w xor ax,ax
+ i+ J. {& j+ y2 S1 f mov es,ax
7 q& s/ {% F+ ?4 N0 E mov bx, cs" r! ^: u4 ]4 w7 P) w
lea dx, int41handler0 Z3 ^* J1 |" i7 c- }. e( }1 P
xchg dx, es:[41h*4]3 U) O1 S1 e% V+ F1 _. x/ w
xchg bx, es:[41h*4+2]
5 O7 L) ?$ k0 g6 {3 T in al, 40h0 e7 K' \8 g( S
xor cx,cx
$ M& t' G) r; u3 I int 41h
; }, A8 M+ T0 \8 @1 A xchg dx, es:[41h*4]
4 B) K6 T. `& N- _ xchg bx, es:[41h*4+2]/ z2 n- O6 |5 M( `
cmp cl,al
5 b2 [! v3 t0 A3 z jnz SoftICE_detected4 w( g( ]7 C4 `4 {' u
) a, u) k; U1 x3 }( ~
_________________________________________________________________________5 t: d0 U! V2 H6 k% K! j% A! V: A3 ^
9 d6 `/ Y4 m% J7 u+ Y( fMethod 07
6 G8 w6 @& ?' p5 i: x: z! n=========2 M0 X& o+ B: s% [% n5 z
8 `, t& n: M1 x
Method of detection of the WinICE handler in the int68h (V86)
7 i! @+ ]1 S$ V% T
/ Q5 e5 C& X% A mov ah,43h
4 q9 |: t7 {- Z! ^, k0 J! F int 68h0 \. e& C( U1 r. B! e; i
cmp ax,0F386h
( j0 l$ a+ p& z9 f jz SoftICE_Detected: Q6 t0 h' K# g, Y" r+ C* ]
: P. N+ j' R# e# G8 {% n5 g3 J0 Q# D: p( \7 \3 R3 Q5 N! y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* P: [/ O- B% G4 h4 W7 i- T app like this:
5 }5 [0 W- y2 [+ T: E/ j0 ?" y' n& k- t6 u
BPX exec_int if ax==68! D8 F6 i% [" x7 \# p$ _" d0 G' F' x
(function called is located at byte ptr [ebp+1Dh] and client eip is
, V& @7 g5 M1 ] B located at [ebp+48h] for 32Bit apps)2 J" I1 N% v, o0 t% c# T+ ^# F* U
__________________________________________________________________________5 J: j [7 I! M! P
M5 y# l' Q% n; F
& O. g+ @4 Y( j% ]0 {8 ]. [Method 08, e0 Y) h. e# e6 E
=========! ^% L* H/ Z& s O
0 Q$ K4 m! g" s, ?6 \It is not a method of detection of SoftICE but a possibility to crash the
# P X& w9 E! V. Q& ]& Jsystem by intercepting int 01h and int 03h and redirecting them to another
( l- _6 M1 S. g& J6 Jroutine.
8 l- @7 B, v `, S+ F' \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, d& c S' D) J' b* \+ I4 w# S' n. bto the new routine to execute (hangs computer...)
5 w2 f/ p4 z+ {* G) M9 e
: B" h& Z! o& b5 W) ] mov ah, 25h
7 |4 }& |( B% O6 ^- L2 O: {2 X mov al, Int_Number (01h or 03h)) \. w% d ^5 d" W% ]
mov dx, offset New_Int_Routine
, [# V! [: O5 n int 21h
) I! u. B" C. {; u. V: V( H. H9 |! n' Y: x* P' |9 d# r6 l
__________________________________________________________________________
8 o' A/ Z9 C k) j* E8 T' i" y* ^$ r! w
Method 09# W4 m6 Y4 m ^& U' d% j! ~
=========& u% Q& N4 o3 i
. J( U: f* A( a9 t4 [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ C& Q/ _) s, b7 H" G- M" Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 O* m0 {# f3 ]8 _2 dThe Get_DDB service is used to determine whether or not a VxD is installed
% J9 @; ?# I* g6 v# X6 d0 wfor the specified device and returns a Device Description Block (in ecx) for' G$ l f6 e# I. y
that device if it is installed.' ^0 M* }: d) b# q* w! B6 G: `
8 m7 D o1 s. f8 k1 k
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ l; t$ X6 |& E) v, Z/ H9 A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 D' F! b+ j9 }3 R! ^ VMMCall Get_DDB, q3 z, y1 F# q9 o1 W
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 N/ a0 T* ]8 E$ ]3 [+ ]5 }- o) K B& P1 {! M3 L$ x
Note as well that you can easily detect this method with SoftICE:6 x" t( E" z) V' @0 u) M
bpx Get_DDB if ax==0202 || ax==7a5fh
. e* u. l+ h' q* t' b- e$ z$ [7 k* o
__________________________________________________________________________5 N s0 d! A% g: c! q- `4 l
6 i6 _9 D7 S! A# U9 B/ J) HMethod 101 i# K) m1 ~; V
=========5 S8 N$ V/ ?4 C
0 k# e" P8 v8 F* j! _( X=>Disable or clear breakpoints before using this feature. DO NOT trace with; D" W8 M9 D6 `9 y- w7 p
SoftICE while the option is enable!!
3 W/ K5 P; i% o7 W, ^" @9 Y
6 l) |0 e9 b( z0 IThis trick is very efficient:0 k# ^, q( S6 r6 x8 A; V
by checking the Debug Registers, you can detect if SoftICE is loaded6 T4 N, ?" d+ p' w: w* x: }7 g
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- ^' Z3 e' V$ U
there are some memory breakpoints set (dr0 to dr3) simply by reading their& I2 L8 P- i9 q' ^# S) V9 q
value (in ring0 only). Values can be manipulated and or changed as well; E* @! z8 {, k6 t+ V8 e
(clearing BPMs for instance)
8 R2 o- C, `8 l$ i
' C( Y6 p0 s. @! Y; p G! f__________________________________________________________________________
" T; A4 [8 P( @& |/ {, D8 ~* b4 ~6 p6 B) t
Method 11
, L) v" s$ V/ h. Q9 C( `+ F5 D=========
5 W+ b1 }/ D: \$ _% `8 s( y- {8 @0 k3 j7 V6 I1 k4 q* q8 q
This method is most known as 'MeltICE' because it has been freely distributed+ \; S7 L4 o+ T1 o @
via www.winfiles.com. However it was first used by NuMega people to allow
9 E2 @7 o( y0 tSymbol Loader to check if SoftICE was active or not (the code is located
7 W+ N6 z. v( O& L) B einside nmtrans.dll)., [% m m# }( W
2 P! f" ?! ^& {$ p
The way it works is very simple:
% N3 o& \% }2 @' HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 z# F* q1 Z$ t* S, L+ w& g
WinNT) with the CreateFileA API.
- ]; i/ ^: u" Q* o6 {- I4 J
- w0 c9 N3 C/ }3 z/ kHere is a sample (checking for 'SICE'):% c. e! {, w6 I1 x
6 G7 [/ b! [. k! {) ] r2 t P
BOOL IsSoftIce95Loaded()
5 H. t. K4 ~" Y' p# @{
9 Z% l! Q9 ^; G! N HANDLE hFile; ; G! \( V: @5 |6 b. S" z( G: g1 F' }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ b- F. {% h. C: b' c3 ~5 N
FILE_SHARE_READ | FILE_SHARE_WRITE,
% v- W% P" ^% j0 w1 u) F; I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ I: ?' ~+ U, `5 a1 D9 o
if( hFile != INVALID_HANDLE_VALUE )
: x* G/ R a' D7 T {/ e6 _! N' b5 k- k1 q" O0 [6 P& q
CloseHandle(hFile);
0 l% @; }6 b: y' z, M9 s return TRUE;
1 V# L E; ~6 R6 Y# }: u# I, E: o) X }
( ~. \' d# |8 S& F+ V return FALSE;
& d1 ]' @: ?# }2 l j& e, L5 g}: ^5 }6 }( p+ {0 s
+ B. ?, {# r0 W+ a0 i$ D' C
Although this trick calls the CreateFileA function, don't even expect to be/ F* Z7 {% C/ H$ e2 B$ W/ c% C
able to intercept it by installing a IFS hook: it will not work, no way!
" o: D- F. p. Y' |: v1 GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' W) b& |" K: d9 M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 W8 | Z4 K( I6 e$ Y4 Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc" b" S7 Q2 C1 W3 W
field.
; C7 f5 ?) F9 i7 v* h7 V' _9 N: yIn fact, its purpose is not to load/unload VxDs but only to send a * c* z# Q; D8 }& J, r4 o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 ]% }6 P0 b/ j. @) d# C, `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 \! d( n9 v. z$ k0 V4 ~3 Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).. t+ q5 \5 n4 F6 `* ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 h9 a/ d( z g E: [0 J
its handle to be opened and then, will be detected.1 i, |1 x9 s Y J( `" k1 I
You can check that simply by hooking Winice.exe control proc entry point
3 K X& @" z6 P) ]1 S' owhile running MeltICE., m9 `+ }, R' [4 |8 H6 s6 N
/ i' |; l4 h5 b) w1 `! L0 m. f, r& \0 d0 L+ _$ B
00401067: push 00402025 ; \\.\SICE4 l5 I/ D9 y3 Z: N9 R2 }
0040106C: call CreateFileA
; a1 X3 ?( `0 k4 X9 l 00401071: cmp eax,-001
& Z7 H: g3 f7 [3 @& N; b, k 00401074: je 00401091
8 ?2 K& W* n, M! b6 |0 G+ Z0 Y2 U
* `- n3 V; `# d4 S* T; U
# H1 r1 N! |9 Z7 fThere could be hundreds of BPX you could use to detect this trick. c5 E' U1 y9 o$ s
-The most classical one is:7 T3 `$ c* D& W6 {6 e D: E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 j1 {& w9 i4 S& {0 f1 L) q
*(esp->4+4)=='NTIC'
6 g: C" w- K& n, H R* }* ]4 G
. k' ]: V0 |1 w7 I) H6 E# a9 l( s* y0 l-The most exotic ones (could be very slooooow :-(/ X$ s5 n* `$ l% g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: A) w" F3 O& n1 r2 v ;will break 3 times :-(
, U2 D. D$ i$ V, ~: j: p- _+ w- z+ c |% U. e1 [
-or (a bit) faster:
! H7 S- A( i/ i, ]5 j5 Y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 O4 h# v+ w4 _: q/ X
3 G$ f* T( j6 d BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# V) X) r- M5 z; O+ ~: g% p3 P+ a ;will break 3 times :-(
( n+ j* Y3 e' C' ^+ ^' |
, R5 K/ L! H5 j5 P$ w-Much faster:2 }# [; \- [, A& M: \8 f- }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: \- L3 J, D$ t- R( A% o/ I% ?: Y( k/ N* F" P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) F0 f: O$ i5 Y0 ]function to do the same job:7 `$ l( f$ Y3 W
0 G& u8 `7 H7 v1 a# w7 M push 00 ; OF_READ4 C# z! u8 ?# ]2 m8 |. h+ Q
mov eax,[00656634] ; '\\.\SICE',0" Y1 A! i; Z9 a
push eax4 K/ ~- U3 `, G* j4 z4 t+ x
call KERNEL32!_lopen
$ U% }$ o- @* b; ?5 i inc eax
; L: W; m' ?5 g, r" K jnz 00650589 ; detected
: X; T+ O. f$ w j7 e4 E0 l push 00 ; OF_READ( ]$ z- J, `8 q" H9 w
mov eax,[00656638] ; '\\.\SICE'
" Q* d1 e& i" D push eax
+ E- d6 i' Y4 E6 N2 g/ i3 c. [ call KERNEL32!_lopen, y1 X/ g$ i$ q; \- X3 \
inc eax3 \ D# L4 \& Z9 y9 i
jz 006505ae ; not detected% b" h5 o& d0 B) S' `
/ ]/ @; [7 \' ]; c6 Q8 l& Y
/ N$ I. e% c) g g__________________________________________________________________________! y# g" w. U1 k7 C0 }. N. w: a1 T
( X$ D9 E% Q- `Method 120 g' a5 x- n: s
=========
[- q2 y# C. v& \) e& j* l5 u
]+ F7 h! c% uThis trick is similar to int41h/4fh Debugger installation check (code 058 j3 p& _. Q2 _; N
& 06) but very limited because it's only available for Win95/98 (not NT)
1 R" r4 C0 L" [+ T% n- T1 `- ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 {; _ ^( l; J6 q; n& B5 c. A" M/ y( R, Q9 W
push 0000004fh ; function 4fh& b: m: m1 F+ G, W* F) L
push 002a002ah ; high word specifies which VxD (VWIN32)1 \0 t. @' N( Z5 l' w2 S
; low word specifies which service
) d" ^' g. `" l$ V/ Z: g& ]* p (VWIN32_Int41Dispatch)9 J! T% j. R; N
call Kernel32!ORD_001 ; VxdCall
0 a2 l; g% L% W! i2 ~* M cmp ax, 0f386h ; magic number returned by system debuggers" l3 K& P3 K, U" s5 G: o
jz SoftICE_detected# M+ o' I* o4 m/ L: u% o
: b) d; \4 i! L5 U) J4 b% \Here again, several ways to detect it:
7 L; }* [1 S7 S' F- i4 X" l% e( }: L% Y, v9 M$ d/ a% B
BPINT 41 if ax==4f. f4 S, ~6 g7 R/ ]& [$ @
- V/ P9 B+ Z0 B' X& O2 H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- V* z1 S0 u' {- L; A: n
" i" o/ Z( s4 _& O: J: m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 O4 d$ a1 d4 r& U; X9 J# F
! g& F' i! {' ~& H& E; O( j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 N) P" d2 h. n! c( F
+ V4 J# C0 @3 B$ ]: o) R__________________________________________________________________________- y1 }( l$ p5 c& ~3 P
( o4 [* d) N( ^2 p$ r# g- X7 P
Method 13
; K* x# h, f( X% b7 d=========
- E8 z) [/ b7 A$ ]+ T0 _/ n4 n* W* C0 {
Not a real method of detection, but a good way to know if SoftICE is: L/ M# ^! ~5 x+ M) v) y
installed on a computer and to locate its installation directory.- d3 E+ z8 T* g9 [; r
It is used by few softs which access the following registry keys (usually #2) :' t1 e1 R0 j! u$ k: U* J
' B8 L1 C/ s$ V* o: b! f+ M$ M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 p% l/ A$ N) `9 J' l\Uninstall\SoftICE8 Y! Y1 Z7 b) J4 g! R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( q8 }& V9 X' J0 N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 \5 j1 A2 P) _! w- \+ Y\App Paths\Loader32.Exe0 h8 K2 t8 b( b, z6 B; B
: p$ G4 |5 |5 T6 [) `" u/ y2 T
L% }/ S: \8 L' O) e$ L& dNote that some nasty apps could then erase all files from SoftICE directory
. ?- W, {( @) ]% y- [7 |(I faced that once :-(# [( ]6 [. J6 P8 w! \8 ]- D; a
7 \9 R* l0 |4 |: P! S
Useful breakpoint to detect it:8 r+ `' h7 T, _+ g& Z* A
. X+ B4 `6 Z4 i/ v7 ?: p4 Q0 s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! n& Q9 W- c: l; \, n
) m8 W, c+ l- e+ r
__________________________________________________________________________
( [2 \" h/ |6 Q& e( L$ A; F; k _+ w: i. @. ^6 g5 O3 s
w0 }( C) W' G* \& gMethod 14 0 A1 D# n1 e" t
=========* J0 c$ u2 m( n/ j4 U
0 c2 T. `* X/ o& L- pA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' a- B' j4 S) V; ?8 g- T
is to determines whether a debugger is running on your system (ring0 only).3 v6 E& `0 I. s% l3 d2 S4 Z: @
0 s0 J+ A; \: ^* ^# Q VMMCall Test_Debug_Installed! o. O5 }, ~8 C# }2 _
je not_installed
: R( U- E; o% a0 I6 z
# `- U9 x2 m4 QThis service just checks a flag.
3 j6 ?7 z7 i. r) `4 h8 s</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡