<TABLE width=500>6 h3 Q3 R! r+ W, r
<TBODY>( R, S2 Y( k' `/ h
<TR>. L/ }# g \5 o k3 z
<TD><PRE>Method 01 - p' `5 j. c/ ^/ x
=========' p- N$ l5 k9 k4 h( r) w
" A8 C% M9 T- A* D+ P6 y; N. p3 N
This method of detection of SoftICE (as well as the following one) is5 n7 u* Z+ E( f; V' y
used by the majority of packers/encryptors found on Internet., m* C- A( n4 n5 C
It seeks the signature of BoundsChecker in SoftICE
7 `' \1 n: w7 c: o9 {! a0 K6 v4 C$ Z" X! \3 h. P
mov ebp, 04243484Bh ; 'BCHK'
* Z% }" n: v; X; W( {0 W3 b mov ax, 04h
+ F$ \% e) A& T* c8 `4 H. F4 n int 3 4 ?6 g) z- Z; s4 g( _) } o
cmp al,4. o& F& Q2 |/ A, @: D, f; U9 F
jnz SoftICE_Detected9 v2 S6 H( L9 }6 Q1 u- h( F
; K+ V8 @: D$ h4 d
___________________________________________________________________________
/ x" N% u7 N5 X; P: B/ R, D: z# n2 A# H* K7 T+ k1 u9 l, w
Method 02 m+ q% n4 _4 o6 ^( J8 u. _! C
=========
2 w7 G- u7 {: i: n
6 u! N$ l$ t' z* H8 y; L% |Still a method very much used (perhaps the most frequent one). It is used
7 ^6 [8 i) K2 P4 Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; ^8 Z! [( {& l0 Kor execute SoftICE commands...
' v) d1 F; w% N! G. cIt is also used to crash SoftICE and to force it to execute any commands
5 S4 d! o @+ M6 e- i(HBOOT...) :-(( * _ I6 y, I \: w
. S/ v2 p, A3 K# v3 e2 y! s" mHere is a quick description:
/ ]5 D, P* _' X( q" `. |-AX = 0910h (Display string in SIce windows)
9 U G6 k% O" p5 W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" d) {6 l: Z0 Z, l# Z-AX = 0912h (Get breakpoint infos)% z' h% z5 p0 H
-AX = 0913h (Set Sice breakpoints)! g* y" b( y9 |1 V
-AX = 0914h (Remove SIce breakoints)
$ i, Z5 D+ ]2 d1 J+ E1 l9 j O* a/ h( Q; L$ G' I' s! ]! `4 _
Each time you'll meet this trick, you'll see:
. d, l! g! Q' x, F* B-SI = 4647h
" V2 k( J) Q% f0 z: [-DI = 4A4Dh. f0 l3 m: k4 W& A5 B, f& Q) G
Which are the 'magic values' used by SoftIce.
' l* a+ A8 {: ?- o9 kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 u Y/ i( \" t" e f6 I$ s6 J) D
" t5 U: ~2 `$ F$ B5 WHere is one example from the file "Haspinst.exe" which is the dongle HASP7 c' f- S8 b4 v5 q3 \3 z7 ^" ?
Envelope utility use to protect DOS applications:* P& B) ~* _. o9 p
- B7 E3 a) ?5 W4 Q% F* B% ]
# z. t! Q9 O* W0 f/ d9 ~
4C19:0095 MOV AX,0911 ; execute command.
4 s, L/ `4 o" S# M% j( f" x5 |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ }3 I) s: u4 r& |- T
4C19:009A MOV SI,4647 ; 1st magic value.! ^7 D4 P5 k& W9 V
4C19:009D MOV DI,4A4D ; 2nd magic value.
; x% _$ W0 g9 t9 ^ T4 f Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- p) D& L' D% W/ P2 T( ]: W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) {' ^' G: J! i4 Y) i3 _% e0 a% D4C19:00A4 INC CX; x* @6 R3 G+ ?8 M- D8 s0 Z4 m5 ?# u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ v; ?8 `0 ^! i' T% Q2 Y0 V, l
4C19:00A8 JB 0095 ; 6 different commands.
8 _& Z3 c) q+ c1 B4C19:00AA JMP 0002 ; Bad_Guy jmp back.! t+ T/ S! B) K7 v( i" k+ g9 ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# Q) Q4 h' E$ m& t$ H2 r: n( c7 g
The program will execute 6 different SIce commands located at ds:dx, which
5 y2 x2 f( R+ ~/ x' w e" g" |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ h- u1 P# ~5 H/ n- p( B5 k8 G- \0 c/ V2 U* w5 H2 L& w. g5 ?6 a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 {& B; y# g) T___________________________________________________________________________
+ o6 s4 A1 f( B* s3 b6 a+ K+ M2 E0 Z2 N- Q
% P) \# C* w) y. Z" Y7 y) S0 W
Method 03
* q g4 F3 {+ _ c' F=========
$ y7 R) J; Y5 Z7 O) d4 \- p: X1 Q, G
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 n, B3 r# r( l3 s% `+ w
(API Get entry point)' p9 P; B& R. G0 D- @
" ]( p: i: ]' y' T) r9 M/ a6 ^! S& H% [- A! o4 N3 ~
xor di,di) w6 h4 H$ _& ?
mov es,di
% Q+ s. h% f' ~# p+ j mov ax, 1684h
: E. R, r: U. R4 ?) j mov bx, 0202h ; VxD ID of winice
* s) \4 k" d( c* |/ ?8 k+ g2 R2 r int 2Fh/ H! J5 Y5 A9 I6 A* K( f2 B
mov ax, es ; ES:DI -> VxD API entry point
: v7 O/ K! h0 c& }+ @0 | add ax, di
: N) ` V* f7 Z" r test ax,ax
" w) A- F$ o8 z) F$ O jnz SoftICE_Detected
* V5 f) y7 B7 A, e" z5 q+ b
% Y5 o( C% f. R* E. a4 O+ H___________________________________________________________________________
6 }6 Y( A) O' a$ N! G" }; ^0 q
3 I' Z# }1 e6 l# f w' V4 \3 J1 kMethod 04
* R- ?# d) `8 J1 o9 e/ k5 m7 c=========4 @3 i8 k G2 s/ J& Z
; l: U1 k' i. @- _2 S W4 C2 uMethod identical to the preceding one except that it seeks the ID of SoftICE
1 R; [0 B0 p/ q* b `GFX VxD.: a. A* B+ r- D* w; R) e* @
4 E- R5 A( c9 V4 x xor di,di, M# ~1 }" _4 I- _9 q. b
mov es,di2 _6 U9 E! w- K) k; N
mov ax, 1684h
6 K4 P- I1 k) Y* M$ B mov bx, 7a5Fh ; VxD ID of SIWVID. Z: Q& U! B' @; {% a) D
int 2fh
- b" G! D5 F; E7 E mov ax, es ; ES:DI -> VxD API entry point, o4 r2 w, t3 x/ C5 |- P. `
add ax, di. o V' ]5 ^" J9 k' J
test ax,ax: F5 j/ N) C1 H4 A' ~7 S
jnz SoftICE_Detected3 m2 a& L# D" u2 u2 h
& d. ]* e/ Z; w__________________________________________________________________________
- B. e/ r- I4 p# s% y! S- r# r4 I
" B2 A/ f- t6 o
Method 05
1 U9 o4 O# x2 |: U6 n. [=========% Y. C6 h! n2 C2 \3 V6 J
0 D K+ o8 O$ u4 T& Q1 ^# V" W; HMethod seeking the 'magic number' 0F386h returned (in ax) by all system" M2 j! n0 ]; u; C
debugger. It calls the int 41h, function 4Fh.
7 V) \8 |/ z+ W9 H) V) F- |There are several alternatives. 1 J3 B7 e9 s: e$ Y( Y& w- Q$ G. `
# L" g: i2 H) s; @5 J
The following one is the simplest:
1 S5 \( Z4 Z: {9 s: U: L( k7 k
. D# D% s7 Y# j7 p8 C( V9 h mov ax,4fh! F. q& h! v" V% k4 D) O
int 41h$ C3 Z; k4 a! e ^
cmp ax, 0F386
+ }" Y( }$ I0 g1 K jz SoftICE_detected( p' G% p& y# B1 M( S8 K* A
, I; t/ r6 e6 h O+ O2 ^. S' W
Next method as well as the following one are 2 examples from Stone's + k% D! U) W" g9 B! q' T" Y
"stn-wid.zip" (www.cracking.net):
7 q3 K# t2 a, k1 L" M" G" M g
8 ^% E1 U5 o4 C) I. R! M* }% H/ C mov bx, cs
3 s, ^: r; [& D4 B d lea dx, int41handler2) b. Y! \# l( ~- u
xchg dx, es:[41h*4]
1 c" Q. t( d& K, n/ _# e xchg bx, es:[41h*4+2]" x _! o) r+ u# L0 H9 f# Z
mov ax,4fh
7 H/ B6 x3 c* P/ H$ | int 41h
. n* B+ Y, K7 f# L; x4 V xchg dx, es:[41h*4]# B. e( t1 `- K0 a" t5 V/ n
xchg bx, es:[41h*4+2]+ u0 ^6 F7 N6 h o. A) p
cmp ax, 0f386h
* |* [- \6 J: @* L4 c7 v jz SoftICE_detected
+ J, N8 C. W3 i( R1 g7 K0 H/ J* t& ?. Z& B
int41handler2 PROC
# c) v' B# r: g iret
; x S n0 Q. d" Gint41handler2 ENDP# Q3 B, S, e& E; M5 O
) A K: S8 g% P& P6 G+ y7 X* V& q6 r9 f, j6 [% K
_________________________________________________________________________
- T; M' d* S& Q) c' M& Z
) H6 U" u, \8 t3 F( `+ L* D3 r0 k. H/ c
Method 06
0 E. y: n* o5 \! J0 p4 E4 ~0 K7 }=========( X' o. F9 |$ B9 L) }- k, N$ O
! H, O+ g" q, B. K; Y3 r
' U2 h' j. `! r+ w+ _5 ^
2nd method similar to the preceding one but more difficult to detect:
1 i/ c% z4 @9 r; W+ m+ t" A
1 E k1 F4 p- b. V0 \
4 v: r4 S R8 {6 H" \* a8 jint41handler PROC
3 }# }, [2 t9 ^- P2 G2 l# R mov cl,al
, p5 U) q; h0 G) \0 {3 Z; n iret
4 @* G6 t+ b& Rint41handler ENDP, Y% L% D0 S" `9 U' p) z
# ~; n/ y7 j6 h& Y
( B( Y5 @' R9 u! b4 i1 N, W0 G xor ax,ax: d J- E0 B9 o5 v0 s
mov es,ax
9 G1 |5 q2 B! q mov bx, cs
X0 L+ ^. q' ~3 D$ N5 e lea dx, int41handler
$ \) l4 W; S- ]' w xchg dx, es:[41h*4]2 q& K1 B# L* C7 K
xchg bx, es:[41h*4+2]+ B. p/ {6 d- }9 q4 f6 i1 p
in al, 40h2 T5 R/ q# q5 [' L$ G# ~; Y: r) e* m
xor cx,cx
) e! c h) E4 C7 b6 g1 H$ \( f+ J$ M int 41h% I& z7 S$ U0 {" r4 n- J6 k
xchg dx, es:[41h*4]
+ k$ P0 Y( U7 ?. k" m xchg bx, es:[41h*4+2]
4 c+ I% m0 n( [" l$ O cmp cl,al
, j: P3 \( }; Y; R8 a jnz SoftICE_detected
3 _: W) }; z4 {. N5 g3 }" t k* u
_________________________________________________________________________
1 [0 _1 `- I) n
6 w4 e- O6 J- a2 T/ {4 R4 P6 y3 LMethod 07
- I# R9 `& `0 ?" ^=========
, O, n8 a# [* W3 `2 W4 i
# T0 E% p4 J& p1 NMethod of detection of the WinICE handler in the int68h (V86)" N5 H# H0 k% }
' s, m$ p7 R! k* o3 Z5 X mov ah,43h
3 P2 `3 V9 c( A. M" a: ? j3 w. x int 68h7 Z$ z% ~! G9 p3 ~( U3 {
cmp ax,0F386h2 i7 R# k4 e0 I8 U
jz SoftICE_Detected! {, k2 E4 b4 m1 y1 L N& z$ n& i
9 V7 `; o0 ]& N: o
7 r" e! e; g9 p0 \ t9 @! R' X+ }& P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit D* G6 M$ Q3 M' e* C
app like this:
9 W' Q8 N) \: U6 R6 K2 _4 [% N D. v5 m% d/ H6 P# O; l
BPX exec_int if ax==68+ N. r/ k; L' c) w
(function called is located at byte ptr [ebp+1Dh] and client eip is- [+ z; S+ J z( [
located at [ebp+48h] for 32Bit apps)
5 S: K% W( ~) o) `7 j__________________________________________________________________________. N, g2 |7 Z% T! U7 A' f* k
, n) P4 r/ N$ q. f
; h \. a3 S* U% y/ @Method 08
. A8 A5 i9 }* b=========
8 j* X6 f( O) l) _/ D
8 ~' D8 t8 y' S- ~/ oIt is not a method of detection of SoftICE but a possibility to crash the
2 P2 @$ u0 `, ?! Dsystem by intercepting int 01h and int 03h and redirecting them to another+ S& Y# E3 P( v: Q. Q
routine.
. T {7 a) H7 }# oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" \+ u/ P: D, d( Y" Wto the new routine to execute (hangs computer...): ]% |/ i4 h1 E: b9 {) j& h
! h0 L+ f- X; w( w/ V4 A1 R mov ah, 25h. t) A' } y9 \0 i
mov al, Int_Number (01h or 03h)" f: F$ b6 {8 y
mov dx, offset New_Int_Routine& y1 \/ o$ `8 L. R
int 21h
% @5 \/ ^2 p/ ]/ E3 n3 [
( J+ |" r/ ]% j' j__________________________________________________________________________. Y" Z m; \ K" K1 Y* D" r7 T: Z
- e0 H, V/ h: r6 Q7 O4 t/ |
Method 09' J% Z/ A/ V* ?, R2 ]
=========2 t0 W4 W) Q9 n
* I3 t) x" B' ?0 K5 ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* W; j5 B+ e6 |/ ?( Hperformed in ring0 (VxD or a ring3 app using the VxdCall).! i" I" {% v/ e6 K
The Get_DDB service is used to determine whether or not a VxD is installed, W* }& [9 y$ C$ ^- ]4 w1 J* |) Z8 G3 n
for the specified device and returns a Device Description Block (in ecx) for% ~$ S; ~7 C! k5 Q7 s' w/ n$ O
that device if it is installed.5 V+ A+ U$ y# I0 _0 V
1 z* \( ]' y) b0 G) X' x" A0 I" ?
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( F5 M6 m2 a5 y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( u) W7 x0 P/ f! j' A VMMCall Get_DDB
! W4 r/ C: P4 h* ^( {* t! R- C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" B4 x+ i+ S/ V4 z3 C3 g& Z+ H+ ~+ J: c8 z e
Note as well that you can easily detect this method with SoftICE:( l# A1 L( N; C- ]# @0 i
bpx Get_DDB if ax==0202 || ax==7a5fh/ R# L: S6 l% i7 r9 ] ~2 {) Y
5 z1 k U" o' B; T__________________________________________________________________________' J! B: X5 k: d( _! E6 ]
- t. Y0 Q" h+ B3 pMethod 10
( R; x0 }- B. V1 X=========& c/ C h$ R! a3 h/ f# X* ?9 g0 @7 e
4 @/ v9 |0 M2 B+ M8 D=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ a. u0 y W3 i3 e; a9 Q SoftICE while the option is enable!!
3 J9 Y7 X, y! q5 }
- w, }" z' N/ `6 Q. pThis trick is very efficient:3 _* z& a8 |. ]
by checking the Debug Registers, you can detect if SoftICE is loaded r2 e G8 @9 y c7 u; K, W& \( u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# I- B/ C0 N, x3 {# i ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their# ?$ E/ c1 d# m
value (in ring0 only). Values can be manipulated and or changed as well
, b1 o. O: u0 P% W# E2 y(clearing BPMs for instance)8 ~' y& T; p* H& N6 V
& U1 R* [) i$ K+ T__________________________________________________________________________# P# L1 O( s* o, \; { R- h
! L$ x* O- T- B9 t7 ~9 j, J
Method 11- X* i4 N8 q# X' O* I" b
=========1 r: L+ _ Q0 g, Z5 Z2 C
+ \! H, P: v1 R9 u, z% A% xThis method is most known as 'MeltICE' because it has been freely distributed
' i0 ]0 U @8 p A7 Kvia www.winfiles.com. However it was first used by NuMega people to allow+ F2 Z: t8 ^5 D) J0 k2 X) q
Symbol Loader to check if SoftICE was active or not (the code is located
! ^- x; e; _* G' q4 D4 Ainside nmtrans.dll).+ x$ Y6 j! R% I$ `; b
+ _/ K1 z, @6 ^# g ]+ C0 Q2 [% C
The way it works is very simple:+ _+ x" ?5 B. c5 ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ @. n6 H2 A' WWinNT) with the CreateFileA API.9 v' g, ]6 a2 ]) z1 b/ Z+ l
& w# v; V- z$ S6 L; o2 GHere is a sample (checking for 'SICE'): f0 `# t5 i5 K% p/ Q! C
# @( H) k* b0 m2 c; }2 d
BOOL IsSoftIce95Loaded()) m8 `& L, F$ U7 k5 ^( Y
{/ u* ^! q1 y6 H# h y- L, N; z; t
HANDLE hFile;
! c, W/ [1 z8 q& J! n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 m, P z4 S& V& l, N FILE_SHARE_READ | FILE_SHARE_WRITE,
{5 @- k4 m4 ^1 a$ g2 a0 o6 {; y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ Q2 V+ ?$ _' ^3 J, o; o
if( hFile != INVALID_HANDLE_VALUE )
) W6 _2 b& ^3 y3 ^ {
& M; G* R) m" {% l6 p3 |2 U CloseHandle(hFile);
5 \' B' y k2 M& Q return TRUE;
8 A H* y" k1 T# s! d- z }
5 Y6 Y8 X' m. `# H9 o- t8 e return FALSE;
7 r( y7 D. I: f8 }: |}
# K! r# J7 \0 |9 j
, N: O3 Y# Y2 A6 ^0 ?1 HAlthough this trick calls the CreateFileA function, don't even expect to be
, M- W2 I% k5 bable to intercept it by installing a IFS hook: it will not work, no way!5 J4 j5 O0 k$ w7 D$ Y3 H2 c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 Y1 z$ D+ o3 [2 Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) L E2 x. k; N2 u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" z) i7 f i- `. ?1 T
field.
% a) _0 ?- z8 E2 ]7 T" H. WIn fact, its purpose is not to load/unload VxDs but only to send a
5 b% P8 y4 V) @4 hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 ^3 i2 y r. o; Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 q; Q" r4 |4 hto load/unload a non-dynamically loadable driver such as SoftICE ;-). K5 X$ h4 P0 r8 ]: }) o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( R7 w% _' [4 B! k, Y; W* q8 tits handle to be opened and then, will be detected.
. C# o7 A! l4 HYou can check that simply by hooking Winice.exe control proc entry point; ]2 f% X K' G! F' A* }$ n
while running MeltICE.
# G0 V( s# O: F* D8 Z
Y$ s$ B& b/ u5 O" w$ D0 ]/ H) `0 Q& z. K
00401067: push 00402025 ; \\.\SICE0 ~, t9 _/ P2 @% @4 g1 Q6 C7 Y
0040106C: call CreateFileA3 `( y- O. d& W5 A- j9 |
00401071: cmp eax,-001
: Y9 n: w. j8 ^: O6 D/ t# F 00401074: je 00401091
# h' T7 m0 y7 k) w# k* G' ~& S3 |, Z. z+ f. E% Z$ O; h
! o8 f* f) d8 N0 X# b- M) G5 n
There could be hundreds of BPX you could use to detect this trick.& H6 z* v3 R7 o! `1 s
-The most classical one is:; f, {7 B+ G( k2 W& s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' B3 `5 z; l! F# L* o9 |2 N1 W6 p
*(esp->4+4)=='NTIC'$ ?# Y; p" B7 g) c: g; f9 \" {
. y. ~. n& \6 T2 d$ Y6 W* b-The most exotic ones (could be very slooooow :-(
9 f! @0 T" I& `; M D2 H W BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , _5 m' Q9 ]" q- Y
;will break 3 times :-(; ~# ?# b/ ^$ N9 {, T3 D
2 R) |2 W+ |' }; N$ H
-or (a bit) faster: 5 Q" R; T9 x8 Q4 c" n) Z& }: ]# {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ x! d/ I1 |! c% h, U9 ?6 Y* R% `4 z9 ?4 S3 m: F9 b1 r. l
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! X4 h) V3 ]* n# ]: @, m ;will break 3 times :-(7 T% ]! r7 N. x9 a) a
! x, p3 h% c% }$ ~9 ]+ `-Much faster:9 ]# c- N5 l8 [, s. j0 v" T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; u' Z2 o7 L" K3 x" T R
! q, E2 D+ l9 j
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ h0 O5 b& J- @8 P" l
function to do the same job:
" D( @1 z! ~+ j: K' C8 {: W0 m5 u' ^9 T( q. C" p
push 00 ; OF_READ4 v- }, D8 v1 W8 y: D
mov eax,[00656634] ; '\\.\SICE',09 G4 g$ e2 r( E- O' V5 W# B
push eax6 a/ ]' d/ n$ b5 v' t1 s3 ?% g; G. F
call KERNEL32!_lopen7 ^) S/ m* Z5 ]) m
inc eax
& ~( Z, x5 Y1 B, d! q jnz 00650589 ; detected
- f2 t+ g; I) q1 ]* J1 c push 00 ; OF_READ' P8 [/ f9 S0 N( T
mov eax,[00656638] ; '\\.\SICE'2 [' c8 [2 R1 c) @, z; m* a
push eax; _. r4 N: S) m; E0 S' u
call KERNEL32!_lopen
7 f3 J! I1 ?+ m# n( t inc eax
3 t9 U4 M N5 F9 N: V3 a jz 006505ae ; not detected
9 b }2 a1 W) L, O" G q$ \# a% d0 x: r- i( y2 s3 z
* M. J. M8 ?( K- k* b2 p
__________________________________________________________________________
! ?$ j$ z" c {# ~) r$ [3 \7 [* ] I5 Z% F$ ~" n
Method 12
1 s6 }) P$ g) f=========' ?% o: I; X b% c- `% N3 w. u6 U
3 V) j* w5 f; M+ K M; X
This trick is similar to int41h/4fh Debugger installation check (code 057 N9 `* N0 p! K/ r e9 c
& 06) but very limited because it's only available for Win95/98 (not NT) q: S. v: U+ g; T8 G2 ^$ P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, o0 O, f! i! w& Y- f# C! d E* f1 U2 O# K" k+ B( p
push 0000004fh ; function 4fh
0 k/ m* k5 U6 h8 g' S& P q1 p push 002a002ah ; high word specifies which VxD (VWIN32) k7 M9 R. ]& F! C! E7 h
; low word specifies which service: T; i6 ~) F Z6 [
(VWIN32_Int41Dispatch); |1 L: c$ @$ @: }; r/ z
call Kernel32!ORD_001 ; VxdCall) T p( ^- W0 v1 i
cmp ax, 0f386h ; magic number returned by system debuggers2 B0 p- {- L/ H! \$ k
jz SoftICE_detected" D( @# t% l, F% Y, ~5 X
i+ n4 R6 }2 w2 G7 X8 E N% ^
Here again, several ways to detect it:0 m8 O' `+ k3 s# v5 i5 I: K
0 I, a6 T. j5 b$ n3 b3 x BPINT 41 if ax==4f/ d1 @2 Q2 W" [6 \5 b2 j1 E. d
; g: B( m0 b7 Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% p) T$ ?$ f6 @0 s. h( y9 m8 J
: e# @( R, T% L8 l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ C5 l2 }/ g Z _
- ~: q! {2 M0 y" J6 ^+ Q9 f; p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' G. t: b; ?& K0 s( y' w# \6 r
/ U; W) J, W' I! [; ~2 p
__________________________________________________________________________6 ~0 i% X9 v2 T" K
/ X9 t0 N! t6 _9 b9 p
Method 13
, I0 g4 @0 B4 W=========
( W. z, {2 w3 e; }- z/ f" r
) }, n, A4 m% M0 c8 UNot a real method of detection, but a good way to know if SoftICE is
; z+ g' ~- P: g+ ^installed on a computer and to locate its installation directory.3 A4 R! s( y- t
It is used by few softs which access the following registry keys (usually #2) :
$ c5 ?! ?. z$ \9 I4 Y6 D. S" L! A! p) E% A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: F5 h4 m# q4 j3 Z\Uninstall\SoftICE7 t# k2 S: P" C# ^) r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% }+ d8 m0 d' {, U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& W, V8 g4 t# n1 `: b' c7 k* l, a+ Z\App Paths\Loader32.Exe
( k& w( E2 s/ O: O$ k, I: l3 x2 [, p" e
0 y' d0 v+ W1 M
Note that some nasty apps could then erase all files from SoftICE directory
" L; C$ N5 f* `% g2 s; `7 A2 h4 z(I faced that once :-(1 q. w* v6 T9 f" m2 G) F. Q. _/ ?% Z
w5 n) \8 ~1 \: FUseful breakpoint to detect it:
' E- S3 o( T% V/ F6 S7 Q
" w y' y! H& Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 L" t- D- X/ g3 s8 |* U
8 [( u7 v) K7 k* G0 @# J__________________________________________________________________________
" ^- r. @" {, [& J2 ^( f, O4 }: S5 ^: ^% K! p1 `
2 c* ~: Z: l! q' f1 |+ mMethod 14 8 b* E+ e/ _5 _1 W" N
=========
/ N' k4 U t" |8 b* r+ u0 |; o7 c' T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' v4 I. G. N- L, J% a0 U0 p( O3 |4 `is to determines whether a debugger is running on your system (ring0 only).
8 `" P" p" t' h7 |. D: r# @9 T& g3 T: ~
VMMCall Test_Debug_Installed ^4 l- f$ `6 ~" t3 Y! G
je not_installed
# |, U. p4 U: q8 e# h W. a% q3 u% ]
This service just checks a flag.
/ M2 b, u+ }. v3 e</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡