<TABLE width=500>
% g# W o2 l+ J6 X+ t<TBODY>
6 @9 k& @- X4 \8 f2 a1 Q<TR>- E5 S, C* i! G* ^) a' L
<TD><PRE>Method 01 / N3 O7 m& u- Z5 G; d. z; @& v, ?1 }% v
=========1 ~' b3 n* T8 J& b& l; y$ D
y( x" b# V/ A: m+ |: ^. A
This method of detection of SoftICE (as well as the following one) is& O4 j5 f: s4 v
used by the majority of packers/encryptors found on Internet.$ {( a( S$ G7 V2 t) m
It seeks the signature of BoundsChecker in SoftICE
7 s: E0 } F7 C' }; L% W/ m G1 u& U- `3 |: f
mov ebp, 04243484Bh ; 'BCHK'1 q& s! c; Z* f& y: H- Q
mov ax, 04h
6 B3 `9 ^* H- f5 q3 v int 3 9 B3 b, K9 j8 u7 j0 Q6 u( C, @3 ?* j
cmp al,4
+ t; V8 B+ V4 X, C I6 y. c jnz SoftICE_Detected! w8 i$ h5 o) T/ h8 k
% `8 r* b! ?: d% b: `0 O' S9 q
___________________________________________________________________________4 m$ o, [6 A6 i' `" i( C! C) z! M+ L
' Q( `- {0 Q0 O3 J+ r* hMethod 022 ^/ d h- s$ I5 G/ c
=========
& T6 e( j" ~" H) i% m4 b% r1 I6 Y) K5 K% Y% S2 [; D
Still a method very much used (perhaps the most frequent one). It is used T6 ~6 L2 z* _: H W* l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 g$ S W* M* k6 J6 i# Jor execute SoftICE commands...+ E: ` W6 R9 m# R. j
It is also used to crash SoftICE and to force it to execute any commands
( I' E! k: q3 x(HBOOT...) :-(( 5 [5 }9 r- E9 A. G' D9 H- f# b- E
; _/ R7 F4 l; u7 E& u9 R
Here is a quick description:
3 d/ ` c# u$ R0 y( |) a; x-AX = 0910h (Display string in SIce windows)
* {; x) Y" j" f8 I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' I" g- {5 z8 c( }- A
-AX = 0912h (Get breakpoint infos)1 w( Z+ x% J) J; C- ~
-AX = 0913h (Set Sice breakpoints)
, f5 a5 `. E: [, i; Y2 h-AX = 0914h (Remove SIce breakoints)( O9 b, P/ \3 ?# J* ~, \. ~" O( [, W8 r
; F2 I' l/ T) ~5 V4 KEach time you'll meet this trick, you'll see:# M& N. P# b6 G" A9 s) z
-SI = 4647h/ {$ G& h: s' Y% B! O
-DI = 4A4Dh
4 y7 y( F/ G6 QWhich are the 'magic values' used by SoftIce.
$ _) ]2 V- S& k6 u5 cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# n. s$ S8 s1 t
9 f* e$ g% d* E# t- gHere is one example from the file "Haspinst.exe" which is the dongle HASP2 @ x: X) l( W) B
Envelope utility use to protect DOS applications:- ?2 M( p6 V8 |" I: g/ X5 ^" D
4 k, d+ i b- ~5 E- d3 {
, u$ s* \0 N& {& L% x: @
4C19:0095 MOV AX,0911 ; execute command.
# {) z0 c. M. a; n* r% x# \& T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 W k$ K% M3 Q( W4C19:009A MOV SI,4647 ; 1st magic value.
' ^$ c7 G- W3 h, G4C19:009D MOV DI,4A4D ; 2nd magic value." E1 `6 B# H. C2 l: g
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% c5 W$ t* }5 B9 P( A" s' ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ Z( }' r- [- r# L c; H
4C19:00A4 INC CX
2 w$ U) V4 U5 A! Y3 O9 a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& i/ `9 L8 m7 F( d6 g, P# l9 a4C19:00A8 JB 0095 ; 6 different commands.
# ^+ [& _4 B$ |, C% @$ x4C19:00AA JMP 0002 ; Bad_Guy jmp back.& }3 A: P: d2 E5 Q2 Q1 f5 ^1 U/ Z0 q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' B1 N& l5 J6 d# p: M$ Q, h, Q4 ]& F+ z
The program will execute 6 different SIce commands located at ds:dx, which5 l7 H3 m$ F) H& N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; c1 q8 f8 x- w! k, f0 \% a* K" i- U" A$ }( u+ m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 _1 i) i5 J# j3 O( ?___________________________________________________________________________9 U; ^9 x( t( `7 h' y
1 |( i( |4 \4 a9 S: \" H2 v$ ]
: w" B! o5 m" w0 _) ~Method 03
6 Q5 e2 ^" f( C) ?# `1 _4 r=========
7 L* l1 _8 |- w" u% v f E8 V6 f$ n) x) n2 @: ~' Q2 J+ [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ R1 p. a* O: O+ e5 b(API Get entry point)% M& L4 ~. s9 q- [: `% e# O
0 @+ x$ ^! p" V1 r; b/ x
7 r& b: H9 ~: S# ^ m4 k* g) j xor di,di2 s0 `5 h! P9 q, J" g
mov es,di
$ o0 L2 [# g+ j& q( @# B mov ax, 1684h 3 i9 ^2 q. ~& S! H, L
mov bx, 0202h ; VxD ID of winice
/ |9 O L. n( c$ G int 2Fh [/ j9 G) n4 X4 M+ z/ H& u
mov ax, es ; ES:DI -> VxD API entry point
& B0 }+ X6 v2 J* ` add ax, di
) @; H) ]! p9 d5 H test ax,ax
$ _- u7 o& ^' f! c0 p) g jnz SoftICE_Detected5 q2 N0 D7 c, `4 F- H
' f7 o3 O' {# E8 L
___________________________________________________________________________7 K) [( b( w; Q: M! y- o* [' \
0 f( i( ^6 o j, M. JMethod 04
' N; J4 z l* h& Y9 [& ~/ o=========
8 ]; T0 |0 Q2 j5 t, Z$ E1 V4 q2 s( t; _8 f% D: c! I: Y
Method identical to the preceding one except that it seeks the ID of SoftICE( k) \. q1 t+ T" r- O
GFX VxD. y. O2 Z( ?4 {# m: X! t
4 P# [7 ~' z/ [: @0 M$ K xor di,di
N9 I' Z1 e7 ~: W mov es,di1 `, o# y5 d, }: a; q- r' z4 d8 f
mov ax, 1684h / |& ]* C' ~7 o
mov bx, 7a5Fh ; VxD ID of SIWVID
+ Z+ T$ v) e- l1 _- A+ p int 2fh ?( B7 c. y7 s( U+ p* C
mov ax, es ; ES:DI -> VxD API entry point: ~; { W/ I& x
add ax, di) p A) Q5 M. c, a, Z
test ax,ax* e' d0 h" H. a6 }2 e4 I
jnz SoftICE_Detected
3 `$ H! [/ G( I9 h6 D
1 @, `: p8 K: L__________________________________________________________________________
, y- q: A9 T' o1 [/ i/ P% p0 _3 o% t! }6 S D2 m8 v
; |7 E- S. T$ V! s6 _. C+ l* AMethod 05
2 p5 f& G7 F# i( R6 c+ b0 w5 @=========
1 x" A+ V# U% ^* j2 p
( ~ b0 o# G+ T, E8 _, ~( j. uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% i7 K( M" {6 P+ v9 xdebugger. It calls the int 41h, function 4Fh.
& _; Y( \0 E- n7 j# EThere are several alternatives.
& | S$ `; x+ M2 S3 J. n
! i; H1 ?1 G5 sThe following one is the simplest:* Q+ M" u# r6 S: }
* ` I7 r0 t+ _# }: \ mov ax,4fh( U, K+ f# Z( R0 i* u
int 41h
: L, `2 Z' X& ]6 Y+ M cmp ax, 0F386
9 v* W- h+ ^( L jz SoftICE_detected) Z0 j l5 P( I5 d% |& a
% Z6 ^! I1 Y. E4 T' {$ G# g6 [8 R7 T6 U9 Y
Next method as well as the following one are 2 examples from Stone's
9 k+ Y0 J* B4 k"stn-wid.zip" (www.cracking.net):$ Y7 w; A i$ u0 D) F# U
7 _9 m* ~, V9 R
mov bx, cs
# r' M& d0 S: p& @$ a; x# ] lea dx, int41handler2
+ e* |' Q% s G xchg dx, es:[41h*4]8 [5 |( A7 H; U- r( {* f
xchg bx, es:[41h*4+2]
/ Y' D- D* @8 s- N% E$ k mov ax,4fh
6 k0 i- K* |% w* c! L$ l5 W int 41h5 d. Z& U' ~4 O* t* Z, m1 O
xchg dx, es:[41h*4]
$ ]' E0 M, F; L% v% j: j( V: F xchg bx, es:[41h*4+2]
4 A3 I- d* Z6 f cmp ax, 0f386h2 B N0 M2 r; M% g- \
jz SoftICE_detected' D% }( u" j. q2 O
- g' f5 Z6 P: K: ]& I& P; z+ Qint41handler2 PROC
% |6 h3 Y1 _% c1 E* N" H iret
9 H! k% a/ |, g/ z( R/ N& k6 k( Rint41handler2 ENDP# F# ` r! k+ u' @4 N
2 O( ?6 M- n1 Y4 i) J7 M) e4 y
. {- X4 c* J0 }/ A7 Y0 z7 @_________________________________________________________________________: Y) j( O% Q# V" {) u
+ B }. Z* c$ L' g: y6 n* K1 g
8 u4 y7 S0 i' Y: A; _/ z$ bMethod 06
2 G( F2 ^5 L) J- o. G=========
6 E7 d% C, i5 ~; r" O2 y4 S+ J- `
: B% r" O5 E: `' i( s. F
2 D: ^% _2 k. I6 L2nd method similar to the preceding one but more difficult to detect:
5 q7 x) u# ^# j( c6 m
" u8 g, J, h7 d' b
. S5 i5 w; i2 wint41handler PROC
% f" E3 ]; C4 ]4 h* c1 S6 K mov cl,al
" ~( O# f- u: m8 q0 p8 t! d iret1 b' @: Y; I& r) F+ X
int41handler ENDP" O7 [0 t# T7 i$ h( n. T- U u
( L( q# L. H3 C$ z8 K- A
% d& M" t4 | j. i xor ax,ax
2 l, \; Q" d/ f! l! M/ v4 @ mov es,ax3 X1 w$ D) M) u P7 \% p
mov bx, cs! q6 |2 \; x# t1 Z6 [3 y6 o
lea dx, int41handler
' F; d5 T2 E0 G w$ Y4 r xchg dx, es:[41h*4]
, Q& y( K( f( A* f* ]0 u xchg bx, es:[41h*4+2]: p! ?6 e) q) E& y% F
in al, 40h7 @9 h" x K6 P( ]$ v7 D
xor cx,cx5 r v. [7 Y7 m7 K3 T$ N
int 41h1 g7 y+ C2 Y, D. y2 K7 K8 U
xchg dx, es:[41h*4]
. T9 p; @$ h( \. `* E; k J k xchg bx, es:[41h*4+2]
9 i4 u- O; n* x1 } cmp cl,al
/ z. [( v# r1 K: G jnz SoftICE_detected% W# ?4 d- ~# x2 J) |) U4 }
4 W/ V, d5 f9 W# n5 d_________________________________________________________________________, Z4 t7 p p6 H: w. h) A
* O# D! s* N$ J. F; V5 S9 S
Method 07
+ T* w, ?& Z) Y4 c; M, u% ?=========, n$ X; O7 |0 L
* I Y) T# C6 G+ \9 G3 h" l
Method of detection of the WinICE handler in the int68h (V86)
/ w8 {" f3 y3 R3 v' w/ Q1 P( Q' u/ r' ^) Q. O7 R9 n4 J3 l% U
mov ah,43h1 b& x/ o9 t7 m7 X, \5 ~* o
int 68h
6 c5 D/ I. u# J9 Y3 q cmp ax,0F386h
9 e) C. ^' e$ s- p( N7 w8 I# I+ L jz SoftICE_Detected
5 r1 l% Q# G+ p6 l& d. C# M6 W- N! u+ U- k
6 O- |1 K+ ~# c7 x$ X @0 m% Z3 z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" Q" V! w" E% d) D: p app like this:) X" ?4 \* M* p+ e5 \4 O M
5 |: s8 N& U' L$ _# Q# k BPX exec_int if ax==68
7 F* f* d9 z# z2 x3 v (function called is located at byte ptr [ebp+1Dh] and client eip is
4 J& j$ z }3 ?9 [. X located at [ebp+48h] for 32Bit apps)
0 m' u0 [5 Y8 d( _# M$ C7 ___________________________________________________________________________+ ~9 u6 U# B5 p) c& K
( ^% t5 [( G+ e8 r& r( ]
( ^3 o1 @8 X( M* Q/ c6 L" p! Q( sMethod 08
+ w8 K( x' c. E5 N& O/ c=========6 E" B9 W: H" R C
) O! O! ^. s4 |0 |% K; i h% ~It is not a method of detection of SoftICE but a possibility to crash the
B7 G! G0 d+ p7 Fsystem by intercepting int 01h and int 03h and redirecting them to another7 x' x d% S& p; B* x4 \2 F
routine.# `* n3 [7 u' c* v2 y- c
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- f! q2 V- O/ @- K. v2 `
to the new routine to execute (hangs computer...)
9 [% |" {; s% q1 T. _. N& m }; D
mov ah, 25h+ E" X0 P% a9 W4 ~: C& Z B
mov al, Int_Number (01h or 03h), {& V% X, \) g, F& {. @, ~
mov dx, offset New_Int_Routine0 _3 q! b0 [" E& T5 Y# b
int 21h
& C: l" t- j' Q3 ?+ |- q/ `) z9 W( `2 A- V5 \7 q/ L% Q
__________________________________________________________________________& `9 j; q5 D5 }0 @5 Q* s* P
1 A) J1 p' S2 v
Method 09
# @- q; E6 F* u+ i; I1 a=========
7 R& b/ @! @& g
O, {7 k. y7 K8 e N! p# y, N, B* F: aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: a" ^' s! T$ c$ Lperformed in ring0 (VxD or a ring3 app using the VxdCall).7 m8 w# s/ x( c
The Get_DDB service is used to determine whether or not a VxD is installed A& I* `9 D. b4 J' ~
for the specified device and returns a Device Description Block (in ecx) for1 `# D% q; U' D! D
that device if it is installed.6 c5 Y8 b4 E+ U, n
) `+ G5 D' S2 k2 V8 R- o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
C3 t( `# [- |6 |& g" v7 H6 T. C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 r: i r) A" E VMMCall Get_DDB
9 J. M% i* h& @- e2 ~) j1 y3 r9 e mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: s3 a7 F, |" P4 Q, h7 a
p$ k, j: f' F3 s4 pNote as well that you can easily detect this method with SoftICE:, j* g2 a: m: d2 g l$ O. _
bpx Get_DDB if ax==0202 || ax==7a5fh
, \* X5 V p U! C5 |4 G, L% H# u1 Q) N. B, f/ _' _. N5 L
__________________________________________________________________________1 ? g( I1 O1 Z$ i4 A0 C+ }
) I: i2 }. @# n; k: s5 pMethod 106 e7 O ] @8 ^8 V% r& x/ s P
=========7 e8 R% I+ N* ~% b2 k' e" Y
; a5 T( z+ G0 A* f, e9 |8 P5 w=>Disable or clear breakpoints before using this feature. DO NOT trace with
" k' O0 g# y# L) U) i7 U# o1 W3 p SoftICE while the option is enable!!3 P+ P Y0 e% Q2 j1 O
@9 [2 a9 _0 X9 C1 B) @
This trick is very efficient:
; \* p; U2 t- l6 c3 z1 F. Z8 J% uby checking the Debug Registers, you can detect if SoftICE is loaded
) Y4 L! K, Q' F- P3 }8 Y; A/ y" l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# t2 y' j8 z4 V0 X3 ? A f) Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 I# w4 Y! c7 w3 Z
value (in ring0 only). Values can be manipulated and or changed as well
( G" `2 N& B$ c# l" d(clearing BPMs for instance)' M' m7 q, B& ]7 K! U9 b
( t. ~# U8 W% e
__________________________________________________________________________+ N! x7 F! q7 M. r5 B2 i
8 ~- a. `% Z6 S7 h/ N; ]3 c0 E& s n6 s
Method 11$ H3 q% ^' R4 c: S" }, w
=========
- s7 o" A; p: p! m$ Y5 J
3 \2 d' S P# a! h, }3 ^This method is most known as 'MeltICE' because it has been freely distributed
* f! w U; m5 ^9 h; E% cvia www.winfiles.com. However it was first used by NuMega people to allow
- Y- O7 i4 Q9 L( F$ ~5 S3 {Symbol Loader to check if SoftICE was active or not (the code is located
. P6 @/ m j& R" Kinside nmtrans.dll).
8 B( J2 H1 J) Z+ |/ M" G# ~; S4 K) V( g" Q; Z) ]0 e4 j
The way it works is very simple:
: W6 e( M& U' W6 |# kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; N) A; v; Y* M9 F- E, D' EWinNT) with the CreateFileA API.7 j2 c4 p7 i3 r5 B4 j$ f
4 Q1 u7 L% j5 E$ {Here is a sample (checking for 'SICE'):
3 O3 ?1 J O9 {; m r
2 r- c2 ^ g8 H1 k8 L- ?: iBOOL IsSoftIce95Loaded()
; `% Z2 E- K7 R5 c! @8 Z# j- M% S{# G5 D- S% q. r- ^) l
HANDLE hFile; . _' L+ H5 |) C5 i7 Y6 Z1 O
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 y) }) z7 ?( d
FILE_SHARE_READ | FILE_SHARE_WRITE,
% A4 @, J7 U% F* B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 W1 P, F$ d1 ]
if( hFile != INVALID_HANDLE_VALUE )7 l3 {8 Y( x, e1 L6 J) c' ~
{! ^1 s% r8 a Z) a% K' H
CloseHandle(hFile);
" b. d9 N7 s3 U: }8 _# I return TRUE;' P0 L6 V3 S5 A: d+ G" ]( J
}
- k. ]6 j9 u/ M; K1 {7 M* M2 R; C return FALSE;
4 h7 C, }* X+ n( N1 U& i8 f}
3 M3 Z6 ]4 h L9 N0 {8 @8 d7 O: l( C ], a3 w9 Q+ E2 F
Although this trick calls the CreateFileA function, don't even expect to be
: \; I5 }; z3 o' C6 _" _able to intercept it by installing a IFS hook: it will not work, no way!
- f) u+ L5 v, o! P; t+ jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' q2 f9 S6 Z" w6 M0 p/ s' j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: \$ g' t) q3 G9 band then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 c6 l9 a% X% l$ e/ m) i! Xfield.$ a9 K( p0 @$ h
In fact, its purpose is not to load/unload VxDs but only to send a
+ ?- J2 Z; F3 D7 \' qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 J( ?" N: a1 g0 Z9 @ p: Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try! `, i0 L9 y! _8 l+ p" m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ f/ {! V) M0 O+ ?, NIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% l/ M- \$ s) r/ i; |1 vits handle to be opened and then, will be detected.
9 x* g+ v( ~+ DYou can check that simply by hooking Winice.exe control proc entry point+ q \6 t9 w. A% C, s
while running MeltICE.( b' G$ d6 {# b3 i. l( D
; D* K( Z" G& a9 u8 |' u1 }: v: k: g" E5 x9 g+ w
00401067: push 00402025 ; \\.\SICE. T; b* V+ p1 k0 b, T
0040106C: call CreateFileA
1 f H4 E' \/ z7 e( B3 b2 P) X. c; i 00401071: cmp eax,-0018 d: U0 N$ s# Q& n$ D9 ^
00401074: je 004010917 x! c8 b9 B1 o. O; Q) _3 H
7 a( r& O. U" G; w0 F% L
) h1 C5 g1 S8 K1 I) GThere could be hundreds of BPX you could use to detect this trick.
5 ]7 o+ X7 Z0 l0 x& }% K6 l-The most classical one is:
I' `" Q! B' A7 F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! F8 n* e* X9 s" B0 g# x( v6 x *(esp->4+4)=='NTIC'
# Q2 e5 s: J8 @4 R' q
+ v- T" V6 W- r-The most exotic ones (could be very slooooow :-(
3 n- S% W/ F" c$ @$ D5 a BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ m2 @" P0 w. X+ j- c8 k ;will break 3 times :-(- J% B- X+ \: |* I! T2 s
7 y7 ?& t8 ?9 }5 W
-or (a bit) faster: 9 Q" s3 Q: N/ b) L( g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 r1 g$ h* c# F- F' Z; N) T2 C
1 e, ~' ~, M3 R" j5 {1 q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* b; O7 L+ t; O) ? ;will break 3 times :-(, }. c- c: K( U8 S$ ?3 y
" _$ V+ V5 Z" O2 h; S {-Much faster:# ^: v! g9 i5 n1 U8 z% i/ V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ l8 m1 W6 W1 a$ y
& l& G5 }( f5 G4 w" P) t- JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: f& l* @4 q. b) c4 T$ [function to do the same job:) v0 M- a9 ?4 A+ H7 ?# \# z% V
% x% M3 ?# J# |& R& Y2 \
push 00 ; OF_READ
) o5 {, r' F+ k/ J+ ^ mov eax,[00656634] ; '\\.\SICE',0, R3 Y) h1 }* \8 Y6 F
push eax
9 f' e+ V/ G* ~ call KERNEL32!_lopen! E1 C' S) k; c) l
inc eax
# u; R/ w6 b+ M2 L) H* a; \+ z jnz 00650589 ; detected
# Y) h v, _7 ` n1 S& d push 00 ; OF_READ: v, Q, }$ |% x1 ~
mov eax,[00656638] ; '\\.\SICE'5 X @0 ^) P4 u# K3 D: z1 e( V/ \
push eax
/ B! L$ ]1 n$ S7 w. @ call KERNEL32!_lopen0 A' ~" q, ]! |: V* M6 G
inc eax
( { d% A _/ |& U& [/ l jz 006505ae ; not detected
' ^! X2 F3 T: g4 f j: @4 S; m, N
; }+ ~8 ?! T4 w) s
- H# g2 x8 G# l/ J3 x6 K* K__________________________________________________________________________
$ d) U2 w# X! ]' R1 I! y0 x+ `( |7 y! i4 f1 o
Method 12
1 m0 _& I1 [5 R1 K" `" p1 {- ?: v=========+ C% M, m: U5 t% A
9 b8 S- R+ L6 v- F3 T+ P2 ^( @This trick is similar to int41h/4fh Debugger installation check (code 05
: K. X6 i5 h) `! n% j& 06) but very limited because it's only available for Win95/98 (not NT)* x: ]; |- q" E' m. F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* d7 p4 H# N' ~
3 W q% B# z& W3 E. x7 r push 0000004fh ; function 4fh1 y6 u4 L2 |- ~: u; Z
push 002a002ah ; high word specifies which VxD (VWIN32), h8 ]# l/ z8 V% ? ?7 t0 C
; low word specifies which service" w( \" k7 {2 N# B( x
(VWIN32_Int41Dispatch)
' D% H, I# I3 |/ U% ` call Kernel32!ORD_001 ; VxdCall7 O, V" q$ Y) P, ~+ n
cmp ax, 0f386h ; magic number returned by system debuggers4 e* f* F* _/ x) d( N
jz SoftICE_detected
. w4 {7 i- k. p Y8 i6 W9 F! O- P0 p) S0 S' }; f' ?8 }1 V
Here again, several ways to detect it:
2 V4 u: B1 [6 R# ^$ l9 V9 b5 m
2 ^2 u& C q0 M7 _3 A BPINT 41 if ax==4f5 ]6 @4 f q: x; x z5 T n
4 m& ~& \& O4 w! C BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& L3 ]9 C2 x7 \) Z) Q% q) l) F
: K0 w% `5 U- F$ z0 ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- }& N' T, _5 Z! x. L
4 g% D3 o* }0 |$ W# \6 M, Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( b; X% [& e- m' v: s
\+ O% N' }+ U8 k2 _
__________________________________________________________________________6 a @" g' ~) B1 ~( c7 b
+ ^! r/ F- W# ~: n! n# _$ ]! ]
Method 13' p3 k2 E4 U& w
=========, c: @6 I& e6 V( ?" _4 f& j
% `" Y) `& J3 t, x$ c; Z+ BNot a real method of detection, but a good way to know if SoftICE is
2 E* ?4 k! A2 l: E3 D2 K% K- sinstalled on a computer and to locate its installation directory.
: a# `5 u2 e, o: d$ \9 A6 jIt is used by few softs which access the following registry keys (usually #2) :
1 Z$ y1 i4 l `- S
$ c/ S5 r+ l; _+ a8 p( w5 N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) n( c- L- H8 h: S\Uninstall\SoftICE
0 ?# e7 x9 @. T* I4 ~# l+ b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* P8 I! W* y% S* i+ k) ?( w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& B8 m9 y2 t4 M* S5 h: \\App Paths\Loader32.Exe# t. P' z$ [; A" {7 t
& P/ Q4 [, n" e/ J7 n1 q
' J+ X9 M8 K6 @/ e
Note that some nasty apps could then erase all files from SoftICE directory
, f- v4 T4 l9 k( c; A& @0 j(I faced that once :-(
$ G- u _& u, T' T7 |+ _* X
9 w: W9 Z* A4 i, x: R4 E! lUseful breakpoint to detect it:4 o+ M$ e8 e* v% @. [- F9 I: }
1 i0 d& x) H5 n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 [0 ^: m$ N t1 d) Z( w
* f5 c5 H0 y \0 e/ z+ l, I3 l& j__________________________________________________________________________
9 O: J7 l- d z9 s7 {2 h) Y4 _# p D3 n% _
* b# i4 p; V3 J# ?+ ]2 y" A
Method 14
$ d& x- I' j; v2 \, j# q=========; U1 b E4 p) S8 {
" _" X+ }* D \9 U& v. V% @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 h7 y+ v' D) H# x7 t: Y
is to determines whether a debugger is running on your system (ring0 only).
9 [0 L- x( u7 t" E+ v
' U' o5 s: T+ @1 ?! L. m VMMCall Test_Debug_Installed
' w: N6 _+ Y0 C' D2 h je not_installed7 q. N, r" H H5 n
* b4 X I5 n# `) C* j
This service just checks a flag.
& [6 z9 R9 y7 v& b</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡