<TABLE width=500>
' ]+ E/ M, ]# P6 i<TBODY>
" `& }8 s8 S( p& V% T6 F9 p% h<TR> r: h$ M, _" j- N+ [2 k) t( Z, j9 _
<TD><PRE>Method 01 ' t1 {- S6 v$ J' R
=========
" d$ T, P6 ^1 i% u. H3 d* F5 ]5 v' \% `4 @4 T
This method of detection of SoftICE (as well as the following one) is+ r% f, S) m" u0 V+ G/ q* w9 j3 v; Z
used by the majority of packers/encryptors found on Internet.
0 N' i6 H6 D" eIt seeks the signature of BoundsChecker in SoftICE! o4 G# i+ e7 J9 u' C5 ]* u( y
( v: |, h, {4 ~9 k: [0 {
mov ebp, 04243484Bh ; 'BCHK'! P/ M9 H$ W0 B" {+ e2 p. @
mov ax, 04h
1 A, D7 F, ~* k# x% K: f int 3 . _# Q* G/ H7 h
cmp al,43 L! `4 W; E& L9 B3 A! @+ S
jnz SoftICE_Detected
# i" H g+ T* n
+ S+ ~1 W% {4 T& t4 C___________________________________________________________________________
4 l* U9 s* G6 R3 p5 n( Z' W0 g9 ]# R" T; J# n8 [
Method 02$ g& ^8 x! p, F- q% u
=========
9 {* x3 p/ r7 Y N1 k8 ~$ ~
$ X% a {. f" ZStill a method very much used (perhaps the most frequent one). It is used2 i2 |4 _* H5 l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' F5 D; ]% y, d, l
or execute SoftICE commands...- v2 Z9 f: Q, v6 X; C( Q( o$ t
It is also used to crash SoftICE and to force it to execute any commands1 e8 ] W% Q. u9 s
(HBOOT...) :-((
* Q- t( r7 U/ k; {% F
6 r0 Q$ S. O, B2 s/ l2 m9 w6 {Here is a quick description:
& b* j' M( X6 M: Q9 S) c7 W' l-AX = 0910h (Display string in SIce windows)# i5 `, J2 ?- g$ i* s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 u: D$ c2 q* r/ @* d$ S) }-AX = 0912h (Get breakpoint infos)6 V4 _1 D: W6 F" ~6 T* g
-AX = 0913h (Set Sice breakpoints)
g# h% a9 I; Z/ E' d' ^-AX = 0914h (Remove SIce breakoints)
% I1 L" I- I3 h9 m5 E) L' T( q4 n1 x9 ]4 w
Each time you'll meet this trick, you'll see:
7 t% r# P2 a7 V9 F4 K7 X* l1 k7 S1 M-SI = 4647h- u2 `2 L* T+ X& r; k
-DI = 4A4Dh
' Y. L# C3 Q& f3 n, W0 |0 rWhich are the 'magic values' used by SoftIce.
$ L3 R( M! C* a' i6 y) ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* b$ i6 Z: P9 `* S' ]
. G5 ~( x8 a& c% C4 N' {2 ?: J1 KHere is one example from the file "Haspinst.exe" which is the dongle HASP. p' ]% q- f* ]
Envelope utility use to protect DOS applications:& I; d4 b% |3 q' ~2 } A! k
; A: c1 [4 u& ^' ~9 ~7 v& i% ^
# ` P% N6 L; g6 E' ?! n, l
4C19:0095 MOV AX,0911 ; execute command.) H2 j: z, W% M1 z) y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 c7 m. N! r- O% l' h% z$ |4C19:009A MOV SI,4647 ; 1st magic value.
0 y% Y5 d/ V" \5 `1 G4C19:009D MOV DI,4A4D ; 2nd magic value.7 o7 h6 U3 U* f+ O/ n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 ~. c! o3 ?& L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 |! g3 ~1 o, E
4C19:00A4 INC CX
: L: p. A# M6 V3 w6 R; X N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' `0 r# f/ Z2 S- `/ m+ {
4C19:00A8 JB 0095 ; 6 different commands.
8 n3 w2 I6 c: M& L9 F) ^% e; b4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 J& R2 z9 g1 }: X# d' H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* x$ p: f+ p- K, ~5 a
' x5 }! ^0 H( c2 |! `. BThe program will execute 6 different SIce commands located at ds:dx, which+ m$ P( h) F) I* h$ A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 Z3 B, ^3 a5 h
: j) L; V/ z" H* p5 X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 O" n- [* g# z6 F5 k3 W7 @, Q$ R( T
___________________________________________________________________________
, O. @8 `8 P7 m( U M8 N6 A. S5 m+ T6 W+ C
* P1 t6 b4 R) u2 a6 f
Method 03
3 u2 {8 b. w2 `, u=========( j4 v$ @ x9 u0 `1 y$ W# V0 }: L
) N! g5 ?0 u0 ?" K1 c3 z8 X. y9 ?: ~Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 C# g- b7 j1 D: J; p, b6 ?(API Get entry point)9 Y- N! V8 N* e
" g/ a3 p6 J0 p+ h3 f4 y+ B- V$ t. I$ u- D7 Q
xor di,di7 o' W7 v. I; S8 S( t8 b2 K3 u
mov es,di2 k. ]3 ~ p1 L G( f) O! ]
mov ax, 1684h $ W& ?$ R# k% X2 k& z! w0 `
mov bx, 0202h ; VxD ID of winice) X/ y6 A1 S* s; b% [( w- Q0 f
int 2Fh1 _( A! k+ x' m4 B Q d
mov ax, es ; ES:DI -> VxD API entry point2 h& @' R: Y; J( ]" ^: d$ A
add ax, di
9 N' f# H9 K4 S# D1 k test ax,ax
2 b0 M& y5 H/ Q8 v$ E8 t jnz SoftICE_Detected" h; Y9 m1 ?5 c! N
8 J$ G8 `3 N" H1 J
___________________________________________________________________________
' w" n: ~6 C7 M. g
k! S9 K) d7 rMethod 04
" p5 k$ U5 Q# a; M) y3 n=========
7 F. u+ i" Z1 d
0 `% c' p5 q+ q: mMethod identical to the preceding one except that it seeks the ID of SoftICE
, s: Q" B! w: x5 ]5 uGFX VxD.
; C8 q! m; {* W. s: O
, l+ D9 U1 X" P+ z, W xor di,di2 p2 s5 F0 R; d" n/ n
mov es,di
) K- c1 l& _) b4 h4 T; V mov ax, 1684h , p7 k, _+ b3 h9 n
mov bx, 7a5Fh ; VxD ID of SIWVID
+ h% u/ C1 N( m! s7 g3 o5 @ int 2fh9 F9 P! K, t9 S7 s
mov ax, es ; ES:DI -> VxD API entry point
" }8 e \% r& Z8 c add ax, di3 F! q' M7 i5 B
test ax,ax) k R$ }3 Q: k3 F1 K* i0 P5 {6 n
jnz SoftICE_Detected. N/ s: I! v# {' m& K
9 e. Y( d/ `' f/ t. G
__________________________________________________________________________4 q! ^4 }3 s% d, J, v* m H
! B) [& [' n0 V% E9 e' J
6 }9 ~4 E; j: U8 H$ m
Method 05
( |4 P0 |2 j8 |7 f=========, r, K9 @+ E5 G1 m, b. V( k5 ~
6 J* _7 ~3 u3 A1 a1 {$ w. J/ t
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, ~9 N& R& W/ X0 fdebugger. It calls the int 41h, function 4Fh.8 o) S# ]2 W0 x" g3 P A2 I
There are several alternatives. ' W2 {2 M. Q1 _6 J. n$ C
6 M3 M8 v- F G3 e: H
The following one is the simplest:
) h- J f/ e& y/ |5 t/ L0 A$ e; _4 V/ O4 C5 V/ ?
mov ax,4fh, C; u& O# S3 a9 C _8 g& V
int 41h6 s7 f7 G* J( D$ s/ e
cmp ax, 0F3863 _2 s% I" g7 G+ L$ p9 M
jz SoftICE_detected
1 K! @# p( A! X+ E& o+ Z( n4 u9 }! l k! j$ u# p3 s1 G/ {- `
# r7 Y) q0 h8 I% i, Q" sNext method as well as the following one are 2 examples from Stone's & |6 a; `) X+ J" a1 {
"stn-wid.zip" (www.cracking.net):8 T b; L+ o7 V) W/ {
+ A; {% ^/ u% ~& K7 ?. J5 l4 s
mov bx, cs
' _7 ` `* L, f4 t: D; o* i lea dx, int41handler29 b' e2 c0 `+ O; A1 s" f
xchg dx, es:[41h*4]
% b! H. V" H# n xchg bx, es:[41h*4+2]5 f5 [/ J/ F, Y. i. s4 {. L$ S G
mov ax,4fh
" h0 |$ t3 j, J4 l, A9 ]) p, x& r6 _ int 41h
+ U9 Q* J. q7 i xchg dx, es:[41h*4]$ ?" M4 p. C. k A4 ~
xchg bx, es:[41h*4+2]
8 F& P' V- b7 @: E$ L cmp ax, 0f386h
% J) e% o+ M! c( M5 j jz SoftICE_detected. l4 i4 M, K9 @
( p! X. q" \! F+ Q, Dint41handler2 PROC
1 ~+ m- r3 A5 @- A+ a iret
$ z) F6 c- h" q5 [int41handler2 ENDP
$ u0 h; q! n6 v V2 f$ y& \1 [: k4 H Y* b; N5 V! K
9 H" U1 W% f$ W2 U, {# _& C+ P_________________________________________________________________________' J; e0 r2 Z5 L
4 a2 p6 ~: I/ ?7 ~1 r! n2 @1 k3 t
Method 06
6 v, q/ _. a$ e+ t9 Y4 Z=========
5 R- W6 x/ q5 Z8 e3 R+ n4 i4 u; V
/ [/ }' |/ }6 @3 @, H6 B
h; |2 i5 s7 ?, @2nd method similar to the preceding one but more difficult to detect:
7 x$ k& y! E0 @. T; N# R
% l0 C4 h2 t4 i. A3 `8 f @0 P3 o0 g9 M
int41handler PROC2 R8 t4 ~1 U1 {; ?) F+ Z8 z
mov cl,al
$ A7 d( U4 w2 F iret
6 R1 p: T$ C3 a: y! @int41handler ENDP
/ e9 S' _6 s6 z" @& }1 l3 r
" o1 r% O& o4 v. B. P, r- }, [: r
/ y2 E6 l, f R+ S/ Z5 g- \ xor ax,ax/ H) g+ i% H: ?/ {5 \) t2 v
mov es,ax
1 A! ^9 V9 \! `3 B- x3 } mov bx, cs5 C; T, Z. H- x+ I9 y1 \0 \
lea dx, int41handler
8 q9 z7 A; I9 w9 n2 [ xchg dx, es:[41h*4]
+ n& x. E, z+ U# r* m. j xchg bx, es:[41h*4+2]1 w! [ l! e# }# k2 F2 J. [
in al, 40h% T# n* I! Z9 X h6 V
xor cx,cx% ]6 [: o8 o9 z d
int 41h7 V/ r: j3 F' q$ N# c, o- z
xchg dx, es:[41h*4]
6 V! ? _- Y4 P; _' [' b: R xchg bx, es:[41h*4+2]
( P. E0 v* m w# T cmp cl,al8 y/ y I9 V5 c( J3 ^, P
jnz SoftICE_detected- _( F: a& p! q# t" B
; {4 l) c$ T& a* B1 l+ y_________________________________________________________________________0 X/ @( M F s4 g$ N7 l& L5 `
$ x! Y9 _7 Z8 C, G. j
Method 07
/ Y. k g5 U0 B7 `* o& n=========
V- ^+ J; U7 @. r/ M. M# m0 ^2 e/ Q% t4 S# x
Method of detection of the WinICE handler in the int68h (V86)( Y/ W$ p4 a: c4 k* w( m) P" Z
/ [- A' X3 R7 }0 d2 U; P: S4 y7 q
mov ah,43h
, q9 T$ ?+ w8 L. t2 P+ T int 68h/ m: m5 H7 c9 S) ~3 [
cmp ax,0F386h" i8 i$ j( ~( I* q# A8 ]% n) f
jz SoftICE_Detected
) I/ ?; M2 L9 J- F; Z$ W! t- w0 Z2 {5 _; f
& I% Z4 D2 S o! w: u: |- m$ [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 k; l, _; W! S$ @ l app like this:) Y+ X$ f5 x) L
( w. j8 T/ K! |/ C! u' P _
BPX exec_int if ax==68
! L* v# {3 _ N# y( G (function called is located at byte ptr [ebp+1Dh] and client eip is
7 E# ^8 t+ X- `( T; C located at [ebp+48h] for 32Bit apps)1 _( ?* [5 w" J5 x9 t0 }
__________________________________________________________________________
, W' E1 y& y) _* u
0 `) S k' P+ _& p* n; S1 r. l3 D* A# n0 I$ [" ], _
Method 08
; Y: U5 ?9 D; J5 Q9 \7 B( L=========5 }% T8 l2 R. ]' a
% S: k/ W0 H/ S% OIt is not a method of detection of SoftICE but a possibility to crash the' G1 @$ E& f- A3 \; k% ~ X/ ?
system by intercepting int 01h and int 03h and redirecting them to another$ n& S4 Z. C5 V* f
routine.
. L3 U4 U6 W6 u5 D$ oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 e" }/ ~7 a/ V6 o, ]" b! l
to the new routine to execute (hangs computer...)2 O, L9 }) t6 T. }4 Z7 C8 B0 T
4 L5 @& {$ h* k
mov ah, 25h
/ M p1 Z$ [& N) i& A mov al, Int_Number (01h or 03h)2 o2 q. J/ f7 D6 M3 i7 _
mov dx, offset New_Int_Routine
2 ^4 ]4 v/ T, R U9 v int 21h
( {- @. f: }1 N: N( [
! f$ ]) h: Z4 [__________________________________________________________________________
8 h% o" H4 H8 f. x \/ D& L( s
; i. Y: U( e* O: XMethod 09+ `* W- h8 k+ r4 l
=========
" d( a" b d* J' e
7 M/ M1 b; c, K; ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* ?! n0 E. _. X; ^9 U
performed in ring0 (VxD or a ring3 app using the VxdCall).* M5 ?8 E. B" X
The Get_DDB service is used to determine whether or not a VxD is installed4 o$ x9 D6 @) G: U0 j
for the specified device and returns a Device Description Block (in ecx) for7 ]# ]0 e2 a& @- `+ |7 d6 E, |5 N+ ]0 Q
that device if it is installed.1 p; j% k! ?# Y4 g! q" S/ y5 q
2 Y$ x5 |3 y+ |4 V7 B$ H4 c
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ e1 v( u/ k% f7 t& n7 `- z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 L# H0 b5 A' U
VMMCall Get_DDB! T. E+ e2 A/ g8 j/ o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ [+ I! Q+ b) y3 n/ f4 _
8 |% O: a( k- \2 H( n" DNote as well that you can easily detect this method with SoftICE:
i0 _/ g3 ?1 f3 P7 U H bpx Get_DDB if ax==0202 || ax==7a5fh
2 Y: q3 V' K5 P8 _1 H6 C" ?6 R y2 e( N8 `# F |4 e
__________________________________________________________________________
6 R' ?4 d4 F" i2 ^- t% h! L. _4 q1 u% l" s5 q$ ?
Method 10/ n+ t: N+ Q3 r! ]" F
=========
0 w/ U/ l% e6 ^3 A8 a( S# ^4 a2 M' U3 [+ A
=>Disable or clear breakpoints before using this feature. DO NOT trace with, \" W- L1 W. p. s
SoftICE while the option is enable!!
0 J1 h* u* Q9 P# z4 W; C9 Q% @) |
This trick is very efficient:7 _6 J/ g: ~6 m7 ~( p# h" [
by checking the Debug Registers, you can detect if SoftICE is loaded
2 h- a" q9 C% U5 ~- I. N* d, L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- V6 E: ]- M) e+ f9 othere are some memory breakpoints set (dr0 to dr3) simply by reading their, J& K2 o0 Z* G8 x7 F% b; Q
value (in ring0 only). Values can be manipulated and or changed as well
* X2 a! ]: X' R% K(clearing BPMs for instance)
% ?. K. P4 U( L9 C! ^
3 e0 O; r' M& V! H$ v__________________________________________________________________________3 i7 Q$ u: d$ f" A0 M- N, ?3 x
, ?) r$ D) i6 A7 I& |- N' u$ P- r2 x
Method 11& V' d Z7 W E; H& Z X: D' `. R
=========8 ^$ {, a! \% \. x7 O0 J1 P$ {
# g4 l" n0 l: G: I
This method is most known as 'MeltICE' because it has been freely distributed
. S. i9 ?1 r0 A4 ~- z% U. K# }via www.winfiles.com. However it was first used by NuMega people to allow
; t; f# o- ~5 z" b6 P$ `: RSymbol Loader to check if SoftICE was active or not (the code is located5 a2 u, c* b9 X p# E4 ?" C
inside nmtrans.dll).% s' R& B# K' x# s8 Y5 ^& B
# B- v% |' T* Q# q( v/ o
The way it works is very simple:/ _+ T( I8 l1 d, U! j4 a! s! D
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% M- F3 t. m/ l$ T" ]6 @WinNT) with the CreateFileA API.1 @: |& U$ F6 g7 J
" ]) P' T% @: RHere is a sample (checking for 'SICE'):* f/ j [% r# X5 E
$ i; M4 V) e# z* g
BOOL IsSoftIce95Loaded()) R0 \8 a. t7 Y# y+ f3 l. | A- K
{+ j( p& R2 f. ?$ o( |" I
HANDLE hFile;
5 Y" G$ x1 C- ]# w* X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ P4 Y- q9 H4 B( _- S
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 `/ v# F/ X/ t e" o8 Z0 K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); `6 d0 f% l8 `9 f5 S$ j" k
if( hFile != INVALID_HANDLE_VALUE )
4 [# c+ U3 B" U! k. w4 v8 c {
' h9 r4 h7 O4 q A CloseHandle(hFile);
, L# W8 ?, F' D+ X& N return TRUE;
. i: c1 f' c6 H6 L+ q }
" }) c. l' l/ t1 v return FALSE;8 s6 X# T1 g5 g& ~
}
) V; r3 D5 D" F* e, F; O4 U' Y5 e' _* K+ z; O, X: I9 D5 U
Although this trick calls the CreateFileA function, don't even expect to be
: [) D. [7 l& j) xable to intercept it by installing a IFS hook: it will not work, no way!3 R3 S0 ?. L4 B6 Q: l
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& H! z# O5 z8 k9 g, W, Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* Q& N0 ~8 {6 }3 Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% ]5 y! f. H( r- M) L! Xfield.3 `' \! L/ e3 Y/ `1 ]2 x
In fact, its purpose is not to load/unload VxDs but only to send a 2 ~1 p5 b* P' ]* v5 P, J" V* {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* V, u; X( B) {7 M; Z; b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 l5 M6 h1 p% k$ V* v" d- g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& H) C; L: M$ j9 G& U+ w) Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow) E( y6 D$ N/ e3 u: F
its handle to be opened and then, will be detected.
' f0 \' g' u6 _) V4 lYou can check that simply by hooking Winice.exe control proc entry point
& }8 C% {" n: ~& ]2 r7 q1 jwhile running MeltICE.* ^7 x; k# R8 B0 J
8 C$ Z- T& S d: m8 d w% R; D
' |3 `1 n1 x: T% e- y 00401067: push 00402025 ; \\.\SICE
6 i' o* _8 K( R' `0 X$ f% e 0040106C: call CreateFileA7 K6 ~; ?: N+ ~
00401071: cmp eax,-001
1 F! l" I' z6 {2 a: }- |" g" @4 | 00401074: je 00401091
/ q! J( u$ g" a! U' p9 @1 r4 d! b- z8 o7 L
& \# M" O" i1 K. V+ d3 ZThere could be hundreds of BPX you could use to detect this trick.: w% t5 B5 {. X
-The most classical one is:
$ B5 V* J4 ]/ k0 q4 O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 C* i6 N5 \9 I
*(esp->4+4)=='NTIC'% K7 c/ U# @' R# O* W
% S$ ~' a$ m. u* _# z- y, L2 G& u-The most exotic ones (could be very slooooow :-(
# }) A$ F7 d" \) E* M$ t BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & Y5 P1 \! C" H; r0 S8 [
;will break 3 times :-(
' C `+ ?' K: F6 [2 O# J& @ @/ r1 N2 F" a" Q' s" X# u* Z% Z
-or (a bit) faster: 6 Z( W5 c7 G K7 S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ J/ x% b1 u- s5 g) W# p- ?& j. s( ~3 y' ?. i
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 w+ s: [4 d9 S. h$ Q ;will break 3 times :-(" T- {& m; I1 N4 X, W
4 C& B$ s+ ]$ v% u8 T. ]$ G% o$ y! t
-Much faster:
# O5 q& o7 q% m) x: J" s( y3 M0 ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* B9 W0 l9 |. s3 l5 V0 g
: b/ L' \% N$ J$ O4 v) i S7 y5 [" ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 p; U% J9 J8 |+ @* [* t% u l3 f( X' a: }
function to do the same job:5 D& D5 X( j z0 E2 q
2 Q2 e3 U! S$ R9 y! N- M$ G: n
push 00 ; OF_READ/ }) A- ]( g3 p \
mov eax,[00656634] ; '\\.\SICE',0" G u% h0 ] u$ S
push eax
+ B5 F L; j5 k call KERNEL32!_lopen* ]8 B& p1 E2 K& F
inc eax8 _7 v; k& J, g2 w
jnz 00650589 ; detected
$ D3 p; ?: l( ~; X. U push 00 ; OF_READ
$ p' `; w, \; F7 D/ Z! n( d8 z" Z- y mov eax,[00656638] ; '\\.\SICE'' z& `2 f- H( f) Y% K
push eax5 k# W4 B' L& G" N n+ z( N3 e* f- I
call KERNEL32!_lopen0 ~$ c/ A/ F2 E" o! O
inc eax* n2 C6 | B1 L& H
jz 006505ae ; not detected
8 x8 C8 |/ d ]6 T; J/ ~* s6 t! h4 P2 f; H/ N- _, K& d
1 t1 v% |" [' t8 N__________________________________________________________________________( K0 k H7 m( L! c4 l0 z
8 R& Y* l$ {& D% zMethod 12# b* C' w4 w p9 ~+ D- X8 J8 D
=========* `0 ^- W1 b+ ^/ y
% k0 A. j; F5 H5 UThis trick is similar to int41h/4fh Debugger installation check (code 05
O k# A% p$ \+ m% o& 06) but very limited because it's only available for Win95/98 (not NT)
6 [& C Y: n. @0 f2 Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 F6 ^& W, h$ ] e. ^" ~ R
: y R u- }7 j# r$ Y, |9 I push 0000004fh ; function 4fh0 f' f1 l6 D' b# U& R) z" e
push 002a002ah ; high word specifies which VxD (VWIN32)& E$ I/ A! ?& n
; low word specifies which service
0 \1 M+ ]% i7 Y0 { (VWIN32_Int41Dispatch)
3 Y8 J- |$ i' D call Kernel32!ORD_001 ; VxdCall! m3 O K& I( B# q
cmp ax, 0f386h ; magic number returned by system debuggers
) a- o5 t& ~$ p: I/ d, B' X4 v jz SoftICE_detected
" Q" n! ~8 {, ? o0 F% f7 k& ~) U9 Z8 I" W+ Y- F
Here again, several ways to detect it:8 P2 }0 n4 i# T0 z# h
* a4 B$ p5 u) w( C) w" _1 {' B
BPINT 41 if ax==4f
2 n* ?0 U% g8 ]# O% |8 y" `6 g& n* d& p$ _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# z: E( a* S& P% D/ r
( [1 l, N" Q* w. l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 p' b/ K; N6 H, Z8 }
3 m! c `' B2 v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, |# ?+ U/ H" ?% t' N$ q: q
% R& ^* @/ o6 |: P( E3 R
__________________________________________________________________________$ D; P, W1 h8 {: F7 d& n
1 P2 C/ x' b0 I6 q2 |Method 13: ]) R6 u8 l5 i2 f
=========
% ?1 X: B% i" X. k3 |# a# X9 x- S3 r$ k$ }# X! ~6 O
Not a real method of detection, but a good way to know if SoftICE is
& r+ Q5 p6 v- ?( p2 {installed on a computer and to locate its installation directory.
; M! m0 s" T3 VIt is used by few softs which access the following registry keys (usually #2) :2 S3 T. c" v" L6 ?# X, D+ @# _" M
: i7 @ H) u# i' ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 E( U( _8 i& b- k: Y' U\Uninstall\SoftICE
" x+ l" T( V* G& [% [. t+ E6 c1 ~9 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: b- x/ h, W, z+ I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, J$ {2 q" k2 p! i" c* E1 L# l\App Paths\Loader32.Exe6 }+ J0 s: |1 o
% h; r" h% E' H
: @6 p) b" e0 P: h, T0 a0 p
Note that some nasty apps could then erase all files from SoftICE directory
% |( p" v& @; Z" y& V- {& c- Q+ B(I faced that once :-(
! g# Q0 Z. S! {) n8 x# f" x1 j; |: x& ^, t( ?4 m$ g0 A, J
Useful breakpoint to detect it:
' V+ }) V2 C/ ?; C. S; b2 D$ K u1 M9 E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; n; S& I% F! _$ s2 c" l7 O; f7 f& c- S1 M& O
__________________________________________________________________________/ [4 a6 [; h! e+ c% |
0 E9 o+ W3 ]8 c9 R: H- e
! c5 n3 `% W& o4 J, a
Method 14
1 K. p/ W+ S/ r( a% @ y8 G=========
; C0 \ H3 H4 }' n$ K! a( V" W4 X$ n+ x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 Z( i" w+ \2 e5 y& j$ R
is to determines whether a debugger is running on your system (ring0 only).
) W! o' j4 O# ]1 S. J. {' @, [
' g8 S) s7 W! z) }# ? VMMCall Test_Debug_Installed
# s& U% ~) A' U( H je not_installed7 V% G: c6 H o" A8 t0 x7 X5 m! u0 D
0 R4 X! J8 h) n; f% rThis service just checks a flag.4 F6 j, M: {9 z/ C4 O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡