<TABLE width=500>
1 x. d! }$ I! v( X' U6 A$ t<TBODY>
: G. N7 y4 ?0 v1 R- v$ J9 M5 v" @$ {. X<TR>8 s1 d; `, A* y
<TD><PRE>Method 01 " ~, c' l$ U" @1 O& D) W
=========0 [7 s/ w r1 {9 k6 v' m
8 f7 p' E/ g P' I3 w: C% qThis method of detection of SoftICE (as well as the following one) is
& l; ~1 S, D: b; x/ C8 jused by the majority of packers/encryptors found on Internet.
4 }: E4 ~6 Y# n$ w. fIt seeks the signature of BoundsChecker in SoftICE+ i( G* [1 r# W( e9 I! _9 E- v$ ?. e
: y. w3 S6 [- E R3 N/ [* I1 u' g
mov ebp, 04243484Bh ; 'BCHK'
# f- M% R* d# M7 N& ]) L mov ax, 04h; L7 u/ A0 q) D' t1 _
int 3 / U. j, f' `, P" u5 S0 F
cmp al,44 @% \+ k4 O5 ~) l; D) j$ k
jnz SoftICE_Detected9 c1 r3 `4 |7 Y& }1 ?9 n% e
4 |1 d2 z; e5 O/ x: J/ g___________________________________________________________________________
9 L6 d4 o# j2 u: T
# v8 w1 |& h" S# kMethod 02( h+ k. _$ P' |3 {0 X! I
========= v$ g7 K& e4 F" B) y9 W# o5 x
; F1 P9 Q5 a& n5 ^Still a method very much used (perhaps the most frequent one). It is used
0 G1 w1 ^+ X8 B7 q/ D4 q/ lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 k* a; S+ H& n6 }* Y: Lor execute SoftICE commands...8 K& S# U; z% \4 I
It is also used to crash SoftICE and to force it to execute any commands, z& x4 j, X3 f5 [; Z9 i! ^
(HBOOT...) :-(( 7 p7 v: M0 c! C% _" \: v
! G+ ?9 I, b3 M! ^1 Y- k" |
Here is a quick description:
" e* {' A7 i( y8 @0 I9 u8 l' X& W-AX = 0910h (Display string in SIce windows)
/ l( [& [. Z) ?1 E* A$ V' K/ G-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) q- A2 p# ]0 I0 p) o! {
-AX = 0912h (Get breakpoint infos): B3 O9 c( c7 t
-AX = 0913h (Set Sice breakpoints)& L- }- {8 }! B6 V& ?% t* d
-AX = 0914h (Remove SIce breakoints)# x& L, r8 d m9 l
3 @" ~ ?' _* d/ v7 T8 n8 V+ |Each time you'll meet this trick, you'll see:
- c/ {' {: [6 D-SI = 4647h
' ^, J, Y/ u, `) p; |-DI = 4A4Dh; j% h% W) a! S% s
Which are the 'magic values' used by SoftIce.; J/ O: O" L b6 S6 S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 L. o5 T+ O& Y
4 h: I. a9 W; r1 c$ t0 n( Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 `5 @, K3 K* a" f; A3 V- l1 @Envelope utility use to protect DOS applications:
- }. V4 H1 Z+ X" u, X/ Z- Q8 v0 N+ h3 p0 F2 C
% c, H0 x) W; \7 n$ ^9 O/ w0 u
4C19:0095 MOV AX,0911 ; execute command.: F3 U6 L' @7 x1 H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ [6 [6 o3 s2 L4C19:009A MOV SI,4647 ; 1st magic value.1 ?" `. y W/ v3 D: b3 }
4C19:009D MOV DI,4A4D ; 2nd magic value.
, G" z6 ]; g$ y; z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. N I) K4 I; ]' |' E' U3 z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; A* D4 O2 L' `! A. I
4C19:00A4 INC CX2 N9 B8 }8 `8 H! p9 F$ w0 X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ D; a: W3 X$ H8 v9 @# P
4C19:00A8 JB 0095 ; 6 different commands.
) x1 K) j. _+ C4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ u" V3 _ w; Y9 b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' s' \3 v- |2 b3 i: A/ d
: S+ A* R/ R( a# V' `. p1 R( oThe program will execute 6 different SIce commands located at ds:dx, which
0 a, ?8 C# H2 k3 fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 w) x/ \4 p: r0 J
# w. _( G6 I0 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; ?+ h9 X: G" q' l
___________________________________________________________________________
! o6 e9 k2 ^8 d u0 R% E
4 L/ S6 Q2 {7 T
/ s% z H% L2 w A, PMethod 03' M+ c' k* Z9 u! m' N. ^: u1 m
=========+ f. K0 l% Z+ X
" f: a% }7 |$ M0 J, ]3 ^- S- \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 m& w: q) G) T% \& D J(API Get entry point)
- a& M5 e- I }! m, s0 `
+ F6 g% G; v+ U' y X% \) s1 H$ _
xor di,di% b& Q) x/ M6 p; q6 T) ?1 J* ]
mov es,di
6 c) l7 d) f( g. P9 K: S5 G( h2 S, p mov ax, 1684h ) u3 S% x2 L: g8 F
mov bx, 0202h ; VxD ID of winice+ {5 j- {5 K' v V2 h" G
int 2Fh
& V* q$ a* D* L5 n4 ` mov ax, es ; ES:DI -> VxD API entry point$ \# R3 M. e* i- `- O# p
add ax, di
, g9 l) T0 Z* q$ g" f- W test ax,ax
5 Y# h4 p+ o4 Y5 ^! u jnz SoftICE_Detected$ ~0 I3 k! j: S) E
* F! W; h" {$ r. p$ j S) Y5 S' T* K4 n
___________________________________________________________________________
# ?( l, w- y9 k
6 p# ~& I: |' v- _" }Method 04
% \2 b% P$ j( A/ J" l; y" h=========3 E" u( ^% B6 L6 X9 y1 p
l4 e! \8 ] R+ d* U: U8 I
Method identical to the preceding one except that it seeks the ID of SoftICE( D6 K3 y5 _ [( |" Z( I2 z+ T! ?
GFX VxD.0 J4 i% ]! A" z: X2 b* R4 i' Y- U- C
; p5 E0 [( p6 B
xor di,di
4 ^9 j! |9 _/ M5 H- j/ W mov es,di
& {6 b( ~$ a) o' ] mov ax, 1684h
& C/ [7 w# D) U mov bx, 7a5Fh ; VxD ID of SIWVID) b8 J5 [. V2 o
int 2fh; v$ x- I q! L# }( O- N
mov ax, es ; ES:DI -> VxD API entry point& w5 R. J9 a. q4 i; K4 n
add ax, di
" \$ V, ]7 H# p" {8 f2 b test ax,ax) l! J; T; C; N5 U- z% O1 W
jnz SoftICE_Detected% z6 L/ q! s* j
, R7 C+ b, z* J" R: R1 P__________________________________________________________________________- q- h1 c9 d8 E( a5 p- [. D6 s
* r9 L1 ?) }! b+ S$ E6 i* c& j/ K
# j9 Q/ @$ o3 N( q0 f2 {2 SMethod 05
8 k$ l9 }+ H( M3 ]( q/ G6 ^$ E=========
' y" x. m5 r9 X# U) i* C1 ^8 L4 Y, }0 r" u7 H6 S5 Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ R$ Q# R: ^) T. ndebugger. It calls the int 41h, function 4Fh.0 ]/ ^* B3 y" ?: Q
There are several alternatives. 5 H4 I+ ]/ |5 N1 f8 v) }
; h% A4 y$ i5 tThe following one is the simplest:. c( }5 f/ z. w6 p* H) M7 o
8 `8 `" o. m7 y: n! d0 y
mov ax,4fh
' p! m$ _; }/ r% d' m+ U, S7 J int 41h
" v9 o- V, l4 b" b cmp ax, 0F386' K# N: B, u9 w. d; f7 K( Q" \; x
jz SoftICE_detected4 R* _$ a: q, @5 \1 x# V
0 ?; V9 _$ u- K5 J" L9 D
( e6 o. @1 A3 MNext method as well as the following one are 2 examples from Stone's : z! J2 ~1 x" u9 n' P0 U
"stn-wid.zip" (www.cracking.net):9 Z- L6 w6 Z) e& @
" p" Z9 G, R/ P V3 B/ f: M
mov bx, cs
% ]0 q1 S- K: T! {' V. q lea dx, int41handler2
' X1 ]4 q6 h; m; Z, d xchg dx, es:[41h*4]
! I! b" ]+ n( z+ C xchg bx, es:[41h*4+2]" D. A. t- C" o8 l- r9 M4 ?: c
mov ax,4fh
/ I% n( [6 _$ N- c% Q int 41h: x# w- S2 K# Y# @% m: m' j2 a
xchg dx, es:[41h*4]! J7 P, J* O6 t4 F' A( T
xchg bx, es:[41h*4+2]
) G; A7 Z8 S! I5 w- v7 ]4 O cmp ax, 0f386h2 M" n# _% L8 F* p* n) g. r
jz SoftICE_detected D4 N+ X6 T+ U9 U
; T8 V+ ^. D9 E, v7 @/ [int41handler2 PROC
5 L7 d1 B( }' w; a1 r% a1 V iret3 F$ V" P8 P) E( c1 Z
int41handler2 ENDP
" P- B; S2 i/ \5 `: M% i( \, @5 @! m7 ~+ Z9 t
& j& }( \$ ] L: m* y* u) M. [
_________________________________________________________________________& A( M5 p) _, A/ s6 z
9 r# P1 _. i1 V2 E8 b
1 @* i( L6 y3 d' L# w' _" }Method 06. _0 y& O# g0 ^+ @- {+ b% d
========= F# t! F" U' g# ]- x) l
8 ?. ?7 g. l% ^/ m
5 k, e% T x" y8 q) x2nd method similar to the preceding one but more difficult to detect:9 }6 I% T6 _$ V
" q. b; ]# T5 _, d9 m- q& m; L7 h0 D1 J: Q5 w9 X
int41handler PROC2 {1 H( R8 a0 ^% M# \
mov cl,al% o* t, q( F: o* R. y
iret
9 P" J( k( I2 Z5 dint41handler ENDP% w/ \1 I" e, B( X
6 J. B, E( J& [
# t- ^: ^4 q! R3 B3 s5 b: t- E( e xor ax,ax' I" H6 L: p/ h4 [& z) V$ L; a1 s
mov es,ax
4 `. p3 F+ L: n: V' W mov bx, cs' Z+ G. Q3 H$ X' |4 b# {/ f
lea dx, int41handler! o8 p( s+ n& l
xchg dx, es:[41h*4]
$ W o4 f1 ?+ ?* {1 S xchg bx, es:[41h*4+2]* X( }. X, T% H( V
in al, 40h
& v6 o' {4 r, A' M+ z0 N% x o xor cx,cx* t. r5 D$ v- e: P N) [. g
int 41h \. v5 H! R, `* K
xchg dx, es:[41h*4]5 n, }0 ^ X9 {7 l+ Z) R+ o3 L
xchg bx, es:[41h*4+2]
- ?) r, Y# e) `( ^9 i7 E# g cmp cl,al
& h: x- r4 c ` T jnz SoftICE_detected
7 q2 a; \3 D! ^1 v+ n9 H6 N! ^# w$ ~& B
_________________________________________________________________________
3 Z: u) ?2 {) M L# w* }3 o3 ^4 |+ M) Y* O
Method 07, y$ ?, m0 o7 {+ L
=========
- W4 w( z1 \# `
! i0 u- m3 U5 r/ v% w6 L) rMethod of detection of the WinICE handler in the int68h (V86)
* `$ `/ Q% i0 U6 r; X2 f1 p; T8 _: k1 d" S/ q/ c* m5 y+ a
mov ah,43h& h7 o, r4 d" b. E/ u
int 68h
, V n$ D% m- |" i cmp ax,0F386h
/ M2 v7 o1 O# x: ?( H jz SoftICE_Detected
" K& ]. x, f4 e" W0 N
* x5 |! k" E5 t$ o/ f" v" y# u0 r: o% Q4 b; \$ @5 t T. X
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; N* }( E* v9 C! a" Q" j app like this:1 u# [( F: f0 `: n+ j
2 z' T% o* q/ H' ~- I7 Q: U
BPX exec_int if ax==68
- d6 {# {. x ? (function called is located at byte ptr [ebp+1Dh] and client eip is
6 G- l; p- X& b" }% p( U located at [ebp+48h] for 32Bit apps)
$ `4 N% Y2 y" j" V3 Y& O8 M__________________________________________________________________________; n, R2 ^$ b. K0 P) t' F+ t- W* D% h+ l
* D, }4 K$ H: R9 Y5 x. ?- d6 B3 f
2 C% d: Z: }; t& @1 c- v
Method 08
" z7 \' U4 @% N/ b& k" |( M& M=========
# `, @4 q- n$ j' P: R+ M: Z: Y
" c" Q3 Q; t% D" F, V( A" W# _It is not a method of detection of SoftICE but a possibility to crash the5 t3 P4 b) r0 ~' a4 D
system by intercepting int 01h and int 03h and redirecting them to another' G/ z0 ]! A, L+ q
routine.
# e3 E S5 m+ eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 e: H( W$ }4 S( y8 _ ]to the new routine to execute (hangs computer...)
2 [) G$ e- r- L( `- H" N/ a! L1 R
mov ah, 25h
6 ]& ~$ r$ ~. o8 c( @3 Q mov al, Int_Number (01h or 03h)# T2 V2 |: \* t4 k/ A$ ~$ v
mov dx, offset New_Int_Routine) a0 S' c- h0 d$ ]$ ~1 v
int 21h
, h2 v9 }3 q0 V- |3 V' m7 O0 l
+ }) e: D) m' l. P1 d% N, G `$ v5 c/ b__________________________________________________________________________
0 B: z) Y6 t" G9 O P! I q! u8 f5 D% \7 f8 {
Method 09
! C% C. b, r( ]=========
, F( O( j) j- x- |- h' D& b5 B3 b: O* K) n- e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) s: m! ^' l& A- l3 P5 U5 y
performed in ring0 (VxD or a ring3 app using the VxdCall).# N) w& K# K0 n# v: u
The Get_DDB service is used to determine whether or not a VxD is installed
) W3 q1 d2 l1 J5 F* Y: w+ O; O* Ufor the specified device and returns a Device Description Block (in ecx) for+ J; k% C; @! Q9 h6 A; y* J f
that device if it is installed./ [6 i4 V3 e# Z( M8 v/ c
: k( r* z! f& N0 ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 w7 ^% A% S, v& C2 v5 A2 t4 T/ P5 k; M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ x7 m3 ^8 a9 q VMMCall Get_DDB' R* P( p. U" z% X! H2 _; `: P" F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* C2 }8 W" u( b* j; h
/ c5 |" ]2 M# R! b! _+ YNote as well that you can easily detect this method with SoftICE:
6 K* C/ u+ m3 R: V! H# n bpx Get_DDB if ax==0202 || ax==7a5fh4 C/ V1 S; Y3 k
* J+ j% ?' |5 v: V1 F( O# }0 ?; R @
__________________________________________________________________________2 A' F0 H4 h$ K3 f5 l
5 S* ]9 p1 y5 \9 i
Method 10: Y5 ]4 q& V1 S: N' A5 V+ d$ k% ?
=========
# G( F: b' H: a+ _5 h. G
+ l7 \1 ]2 _' M6 ?7 i=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 X7 [" l% p4 A; J SoftICE while the option is enable!!8 x7 B. ~2 Z8 M# D6 @* P3 i
6 D' q- G7 c7 H0 C q
This trick is very efficient:) l8 P3 I8 T* h, V! A- o
by checking the Debug Registers, you can detect if SoftICE is loaded9 Y$ a7 i" G+ S! `+ ~/ O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 M7 M: O6 Y+ s* }1 [there are some memory breakpoints set (dr0 to dr3) simply by reading their
. l1 O" L0 W: q( Dvalue (in ring0 only). Values can be manipulated and or changed as well7 ]- I D$ G2 X, L2 ?- |
(clearing BPMs for instance)7 D% m8 V% c+ R- O1 X( e7 F
1 W* w4 o' S. b5 Z
__________________________________________________________________________- T5 B0 R: R8 C3 L2 n; _. R
) v1 ^4 o, c3 T3 b
Method 11
- q) S0 b: z& F$ q=========" X) V! F3 L, I! N6 a! j
2 k# c8 R; M7 n5 O2 n6 z# y: OThis method is most known as 'MeltICE' because it has been freely distributed
7 q a, S- |/ {* C1 ?3 `) V. vvia www.winfiles.com. However it was first used by NuMega people to allow
' [* t. E' w2 Z& c2 HSymbol Loader to check if SoftICE was active or not (the code is located
# \$ A1 p5 |2 Ainside nmtrans.dll).
+ x) A5 a6 F. O, M m6 g' R+ G9 G
. S+ E4 ]2 U$ i" o% wThe way it works is very simple:& o* M& a/ M: n$ |5 l0 S, T
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ R' A* T0 }) A6 Z( t; k$ r! Z
WinNT) with the CreateFileA API.
8 ^% P0 V* {. ?
9 d2 @& t0 |# a- `Here is a sample (checking for 'SICE'):; @9 T8 S* b( L' _: W) _% G
) t4 G5 _3 ~8 X- t0 q
BOOL IsSoftIce95Loaded()6 p4 ~- h" ?5 Q" _& B' n
{" c* f4 X7 b( m2 t, f6 Z; J9 w
HANDLE hFile; * G4 S4 Y6 A8 j. x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ K4 G( p, h T8 `# l. w5 a ^3 i! _
FILE_SHARE_READ | FILE_SHARE_WRITE,0 J$ z9 S8 @' R5 u4 N
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; t' `# [5 H+ w' o( ~+ Z6 U
if( hFile != INVALID_HANDLE_VALUE )
; \5 b* ?) P+ c; \( j; w {) \; x! u: e" C$ W/ x" q
CloseHandle(hFile);
. f) G# @) K3 ]9 d. ? return TRUE;8 _6 g, a" J. ^! ^* V: U
}3 y, m5 p4 n, g9 @6 [1 M `
return FALSE;& I& d3 c2 X& O) q7 U7 v
}! C) Y2 C6 y$ M8 c$ S% j
* t2 C Q* B3 j( F3 oAlthough this trick calls the CreateFileA function, don't even expect to be7 W+ M+ {. R" v4 |7 @- V
able to intercept it by installing a IFS hook: it will not work, no way!" S. e1 F; q& r7 l5 H, h+ A8 P: m( r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 y# [3 a! U9 ?9 n* |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 l; w5 S- g9 X) q2 H& t5 u! Q3 o+ Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc" X& c* Y+ `9 F+ q2 o0 t4 m. q: l
field.
4 q+ ?9 F5 w8 S0 t/ }In fact, its purpose is not to load/unload VxDs but only to send a
+ e) e8 ]) X2 @! C% NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 R ~# ~. N; O2 X% d. _' z' v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 ^& ]3 s) x' f3 u6 qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
' ]& J2 n# Z% s# X: `3 @. zIf the VxD is loaded, it will always clear eax and the Carry flag to allow! {& H( E9 d2 r0 y8 D Q
its handle to be opened and then, will be detected. O1 W) m. c. {' d
You can check that simply by hooking Winice.exe control proc entry point
9 \+ @& f7 \! N3 C! g6 L$ S: qwhile running MeltICE.
, y7 p: I) u1 H& V
: {$ ^* o% u1 s. d( z) b1 V. c- {# {% Q
00401067: push 00402025 ; \\.\SICE( J, O* K+ x7 i6 Y
0040106C: call CreateFileA
- N& M( G5 i( L$ e 00401071: cmp eax,-001
) {2 y! R6 ?! S R& { 00401074: je 00401091' Y0 A, N5 h5 Y) B% G& s
( L) J9 b* L( F8 G, k- o/ B* b0 L; u
/ q. w b$ y' \+ p4 jThere could be hundreds of BPX you could use to detect this trick." }( R+ k' m2 w: g- Y0 B
-The most classical one is:
! @! `3 {8 O ]4 r6 b2 ~; R9 T: f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' |) c9 n$ O. W. s1 I, D *(esp->4+4)=='NTIC' o; T+ g$ g% d h! O7 C8 s* l
* M( l% t% E/ d+ V% l! V1 }9 _. J-The most exotic ones (could be very slooooow :-($ X" f% q4 q# W+ ^) C
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' W, f4 g, N3 y5 _: \
;will break 3 times :-(# ], {( D5 E, h% T4 d
+ G& W; p% b- v& i2 f E. V
-or (a bit) faster:
* O+ z/ w9 {# _- h" Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 |( B7 n! J$ ~4 t. M( J
; `# y! O7 O% C ^' i0 {' f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 `: z2 q7 l7 f; N* I' K# ~9 b ;will break 3 times :-(2 ]+ {, w6 A9 g
5 J3 O8 d8 F; M3 f1 ]-Much faster:9 p F6 k: b2 q, H! ~7 R6 d2 s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 N, V0 V. B0 J/ P6 L
( T, r( N' L0 E$ I$ }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 o4 z9 C: J4 k9 Qfunction to do the same job:4 ]0 c( }" d7 y8 B/ G: i: q9 K
7 B( {3 z4 n: m% O push 00 ; OF_READ4 Z- \8 n, M! c6 n; r. B3 p
mov eax,[00656634] ; '\\.\SICE',0- m' @3 C9 \1 n$ ~1 J% ?2 V0 J
push eax
; J/ J5 _) }6 k* O& ]: v. d call KERNEL32!_lopen" Y0 r; x1 M! q) V& X% Q4 g
inc eax! q0 }! C% ]" V8 s, v; |
jnz 00650589 ; detected
7 V1 e' d; ^- l5 i( H1 [6 @4 h3 m push 00 ; OF_READ) _& U4 R6 n- o" B3 [
mov eax,[00656638] ; '\\.\SICE'/ q4 Q" b0 F! E# u
push eax3 B; `' E/ L% {4 Y+ X: A
call KERNEL32!_lopen
: u/ V) M% _4 N$ ]/ @4 @ inc eax
$ {( K' d' A+ p' w5 T: E jz 006505ae ; not detected
" {* p: c) m7 ^: f& \* t
: o1 O, o3 ]5 b8 D/ K! @; G+ V% }$ ^1 Z, z0 M! D5 H' e- S1 y
__________________________________________________________________________! a8 _. F+ H$ ^# j, p
* N8 j3 Y( A9 J2 {& F/ |7 G
Method 12' ~ @3 _1 g# J
=========: m$ o+ a: A3 n- V$ ]4 m
' h5 [! F0 F! \8 Q. I) RThis trick is similar to int41h/4fh Debugger installation check (code 05
2 R+ t4 S: h$ m/ g- ]1 H& 06) but very limited because it's only available for Win95/98 (not NT)
% w, [6 L# c3 p2 E! Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( F: C5 ?% u% `9 A
$ J3 l% y$ r: v7 w4 B& {
push 0000004fh ; function 4fh% A$ H+ r$ s# o
push 002a002ah ; high word specifies which VxD (VWIN32). B/ X. g8 p) p* S) _$ b+ U
; low word specifies which service
7 o& l) Q' S" s9 _4 ~4 v' M4 P (VWIN32_Int41Dispatch)0 L- s! H; R/ C! ^7 c+ G
call Kernel32!ORD_001 ; VxdCall
$ a. j; X1 O) p cmp ax, 0f386h ; magic number returned by system debuggers0 }6 a; k c/ P$ \2 j+ h
jz SoftICE_detected" y B- Z! d' J; X" k# \
$ b4 z | i( Q, R. V
Here again, several ways to detect it:
% y9 ~( X- A: N. y5 y7 r) y; {- b; p$ X7 ^8 J
BPINT 41 if ax==4f% l& [8 K/ W; Q) j
4 d- R* i6 _4 t; v+ o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# o/ P8 S4 s) j; R& I
2 G% F2 V7 P, _' ]+ w5 ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' n; W/ u* z8 @2 X q
8 A$ \6 {% U0 ^- b5 D6 h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 l" m; U8 `) D3 w
$ {+ D6 h9 @7 ]# h; P$ D
__________________________________________________________________________
( R& n$ F& u% F' L$ r8 b* ~4 _2 \' g+ h0 i" f+ G- e( y
Method 13% m8 r: R$ E% f* K S# a
=========
" E) D, |0 l8 f8 L$ _. {4 W9 R5 o# r4 l! _
Not a real method of detection, but a good way to know if SoftICE is
) \8 e: e$ C% S' Iinstalled on a computer and to locate its installation directory.
3 s9 @" P5 _ L4 Y+ }/ RIt is used by few softs which access the following registry keys (usually #2) :
3 l# r. c( n! _: S
: i( k2 ]3 s% R/ j# X8 I: l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ H4 J: I5 l2 V
\Uninstall\SoftICE* S4 k+ l0 d: ]6 {' h1 t$ \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* l$ h. Z3 I' w! s! h' \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) T1 T {' ^$ g; O! A
\App Paths\Loader32.Exe
7 y$ f3 r4 p4 u2 j
0 O' N6 y- z& H6 e
8 ^. t# q" x9 ]; vNote that some nasty apps could then erase all files from SoftICE directory
0 f( M/ l) \* b4 K2 B. _(I faced that once :-(
2 @6 [5 Q" Z! B# E
/ X* k: ^+ K& gUseful breakpoint to detect it:, w+ r+ f6 p8 l. e) H% o& O8 L
) T7 T; @9 M1 @% I, h5 p/ x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- r/ F1 ~. a( s2 }5 p3 q B* r
; @' A# [' f: n1 t__________________________________________________________________________
4 b2 S" H9 W8 }" `4 N* u! T$ x+ M7 u+ d2 K" B
; a9 n- X; T& `* Z
Method 14
! |9 m2 Q4 f) m- l=========8 j. S7 z" ~. l: f4 M( W" m# h
8 O/ q9 f1 y, E( U7 s& ]$ EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ C, i* A# B s+ N0 @' E2 N5 }
is to determines whether a debugger is running on your system (ring0 only)., O6 C% ]( D1 N
1 J) U) U0 g; H& d" S1 R a VMMCall Test_Debug_Installed
; E3 |/ i! S! d+ o je not_installed$ V5 O1 i3 D4 b9 w' ~$ Z5 O, T
, ^) n5 q. N3 p$ S' T4 Y. UThis service just checks a flag.- e" m3 A; E' Q0 _# S
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡