<TABLE width=500>1 o- q2 {/ a2 A+ B9 r& _
<TBODY>
- o+ u6 K$ \/ T$ N# d+ d<TR>1 J0 ? y( K2 }7 a9 Q; B$ @
<TD><PRE>Method 01
$ J3 [; K* v* n) a- A; d, T=========) J8 K/ |0 E' y' N
! ]1 W: L4 G3 Z5 e; `4 n6 _. @$ f+ s
This method of detection of SoftICE (as well as the following one) is+ _; q9 Q+ t4 a7 F+ A
used by the majority of packers/encryptors found on Internet.
: X0 U- M( f* }& QIt seeks the signature of BoundsChecker in SoftICE
2 m) w q! P$ A7 V2 Z4 G, K# @/ I
2 |4 e6 t; w- v6 G; j mov ebp, 04243484Bh ; 'BCHK'4 H$ R. c; V% A
mov ax, 04h
! X8 T# Z: H) V" a. d int 3
$ P7 ^1 ? E0 E/ {# x7 U1 ? cmp al,48 M, G; j1 R8 x- f7 m- j8 Q0 i0 F
jnz SoftICE_Detected" E# v1 o* X; N: L7 w% S2 M
! ~/ w% h5 a0 B___________________________________________________________________________. H7 D% {3 k/ u- B1 y$ y3 B
; d' k* f( s; F6 v1 C! p
Method 028 P) w, p4 u+ W X5 H, l f
=========
3 k8 A# R! W% G/ p" {
( w2 d* K8 f: W* i4 K4 RStill a method very much used (perhaps the most frequent one). It is used
3 u6 w6 L, s! O$ M0 g' qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; P) l9 k& S8 c& L; Por execute SoftICE commands...
7 c9 Q% `) F b, v8 y2 Q8 \It is also used to crash SoftICE and to force it to execute any commands: f7 }' T$ B4 g1 [
(HBOOT...) :-((
6 i- ]8 ~. d" ]: @, T" c, V8 i" W1 D9 P6 S; Q
Here is a quick description:
7 Y! k- N1 B0 ?2 H# M) x-AX = 0910h (Display string in SIce windows) Q7 x" z H; s8 \0 Y& Q1 Y3 y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ ^% @9 {+ \& k1 X9 X2 s
-AX = 0912h (Get breakpoint infos)
w8 q5 t# `" P3 t% c-AX = 0913h (Set Sice breakpoints)
, Q$ g( [& d) m: l2 p9 @-AX = 0914h (Remove SIce breakoints)
o C" V1 M) r. u c( Z# b% l* |3 B! O* y4 w
Each time you'll meet this trick, you'll see:& w8 W/ c3 V E6 o! J& s ~, n
-SI = 4647h5 U, V- J7 |, x& {
-DI = 4A4Dh% a+ `4 t, X0 U3 `1 s1 a
Which are the 'magic values' used by SoftIce.
" }" i9 q' e# |- VFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.% [- j. A4 l0 f0 \
3 J) f' T& {6 s) ^; {Here is one example from the file "Haspinst.exe" which is the dongle HASP5 T8 G7 X5 W+ w( _# x( \" ?2 M
Envelope utility use to protect DOS applications:/ N6 s9 O# z- E- |* y1 J* t$ |
: Y: ~: m5 Z: v% i: J; n% C8 F" o# m
& y: n1 \# u5 U7 U' \7 I4C19:0095 MOV AX,0911 ; execute command.& [' O1 X/ f7 {* W% y" |0 x5 }& ^9 L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ W+ A5 y! ^- ]6 D# V) ]. {) T
4C19:009A MOV SI,4647 ; 1st magic value.- G p8 [; G# Z1 N7 [' P
4C19:009D MOV DI,4A4D ; 2nd magic value.9 k# q! ~1 C: o, ?2 q& x( e0 L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) p( G7 i5 Q" o5 K9 V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ K/ J$ o8 R1 E6 D* C* ]0 R
4C19:00A4 INC CX
i! X' `- M; e0 `2 E" ] |0 A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 }3 `% z: t) N2 C; Q) }$ D& p
4C19:00A8 JB 0095 ; 6 different commands.+ z. M$ q: b! I! t0 x) t2 X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 \# J1 }; C3 N4 w1 t- A3 Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# M9 L4 N+ B1 w! N. v# M8 ` Z
5 E7 _% |' r$ C. K* ]- a+ q! v
The program will execute 6 different SIce commands located at ds:dx, which
) n9 V8 o: W, m4 G) g& Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 `+ X& p8 T+ p7 {. w$ ]
* `! m+ g% W8 u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% q2 k. p8 L4 S' Z& ?: O
___________________________________________________________________________5 H5 r& r" [0 N& n9 x2 N
/ L+ ?' \ g1 i2 F
3 ~, h3 b* _7 nMethod 03; w# @$ r! g- n1 ?6 _ ^2 G0 |
=========
) R8 h9 ^0 p- H% Z9 a; y
; Y# Y8 I2 c6 v1 ~" _. | }Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% G n, \ ^/ N' Z, z0 n3 U7 y(API Get entry point)& J# L2 C( m' g U7 v
% [9 Q2 r. d1 v# k+ I. F, N* ]; M9 I9 p$ d+ u
xor di,di
$ Q( V5 @, |1 ?' E } mov es,di
( r! d. I' v0 Y3 h$ e2 p mov ax, 1684h
2 a; B- T/ w1 g& C5 p mov bx, 0202h ; VxD ID of winice
]" |# Q4 c0 R1 G" f+ d int 2Fh! f) S- k+ e* N9 u: i
mov ax, es ; ES:DI -> VxD API entry point7 h8 @/ J2 ?0 S% J. m' D
add ax, di
) |0 g9 v3 D* Y* D test ax,ax, s' P5 ]4 v$ y
jnz SoftICE_Detected
8 M, |% e. a! f2 h
; p1 }5 R4 D/ A$ v& J& D/ F___________________________________________________________________________3 |8 Q8 H' x. U3 x, i# C0 `
" X4 T+ z: Z: q, ^Method 04
Y& F$ `9 b. m h i% z0 d* T2 X=========/ O( U" X& i# Z8 w
4 p' u1 p# g# s0 V E! n
Method identical to the preceding one except that it seeks the ID of SoftICE: Q8 z: h: C1 P2 R% V9 E7 B' L, d9 J
GFX VxD.% d' \" _- W! S. j/ i" z2 p! `1 N
$ Y; I; g4 n( Z xor di,di
8 w, w" J- Y2 ?" b, o s mov es,di
, I% [: X% @* J mov ax, 1684h J+ Z7 ^0 _, f q+ X
mov bx, 7a5Fh ; VxD ID of SIWVID( \: R$ n- i0 F
int 2fh
4 G9 J7 @% h: p mov ax, es ; ES:DI -> VxD API entry point/ c B0 G- i9 g, F1 h/ i; w: f* K1 {
add ax, di
) L9 ] ~# A1 R* N5 N0 C0 S* { test ax,ax
; f4 f! |( l+ P jnz SoftICE_Detected1 K7 i2 M, C8 [6 Z) {9 Y8 w. X
) {6 q6 X1 w3 R% J9 S+ @
__________________________________________________________________________" }9 g& F! r% A9 L! ^
, C* D# y* L1 V7 [2 [' {
9 Z4 W, O: Z) s# o. t. @; MMethod 05
& L( C$ H0 o7 ^3 F9 f. A=========
3 D. I# _/ c) g
2 c: `6 v% g1 V% W! e1 bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 ]) O, c- [0 s( k" c0 e1 zdebugger. It calls the int 41h, function 4Fh.
; \- t! w7 _2 L3 J0 H: OThere are several alternatives. ^' ~: x) ^/ G9 o! q1 \, g
% I- G; w6 K6 Q2 A* J
The following one is the simplest:# I$ `2 x% r+ }3 u
+ o3 d T# _7 D- m6 |
mov ax,4fh3 k5 `# W# n, \
int 41h
H0 t* ?1 W% M4 f cmp ax, 0F3861 K7 \2 Y, Z' @$ l
jz SoftICE_detected
) T4 H9 A/ W- \7 \/ X7 e0 Z
; I! A$ H6 s, x( U& o) T; e7 j8 v( U7 c6 O1 w
Next method as well as the following one are 2 examples from Stone's
$ M4 S! h* d) {"stn-wid.zip" (www.cracking.net):: A: u2 k3 v6 s
) U* l3 R1 U) E m5 F& S; b
mov bx, cs
3 q E0 q* j0 D T+ x. {* M lea dx, int41handler2
+ p. T9 \6 b. B4 p" c" p* ]9 D xchg dx, es:[41h*4]: \' A2 _" _9 ]8 N/ v
xchg bx, es:[41h*4+2]
( b+ @1 X U" b# M" Y mov ax,4fh
2 N- T& e! l0 I2 U; B3 x int 41h6 O U- g% H- ^6 e5 Q& Y
xchg dx, es:[41h*4]
: r7 A2 [# y5 p1 w7 A xchg bx, es:[41h*4+2]
+ G: o9 \9 w6 n* s/ m' S$ y# e cmp ax, 0f386h
. u+ @: O8 U4 r# S. P' Q+ r jz SoftICE_detected- ^( Z$ ~& A5 u- f2 C8 h' A7 G% b
" p5 ]0 y( J# Xint41handler2 PROC& T( Y, U5 G' R# w
iret
. X2 O* P- ^7 c, j- Aint41handler2 ENDP
# u# Z5 m$ U2 Y1 @7 [4 N h( Q: X! i+ ~& K# z, q* K) ` ~
8 X7 [- ^ G( s, Q" B
_________________________________________________________________________
& O8 |) }0 f$ z$ f1 M+ L7 {- d$ S
; e7 i3 ~8 N; a# \3 R& e9 I7 `1 }0 L
Method 065 v/ V+ T2 D% n/ ]" {6 [: Z$ R
=========: _) K& n, R/ u$ o; p) e( F. ^
5 E$ v ~/ n! \! _9 v9 }: u& I3 l; X; J$ W2 e
2nd method similar to the preceding one but more difficult to detect:' V3 f E1 I& N V
0 {5 q6 p& K) e
! n8 A; d% M3 X' b m6 }+ E
int41handler PROC
" X6 q* Z( c9 _9 o/ ~ mov cl,al
0 S( s( A3 k/ U$ y0 [: Z iret
& ~: Q. D Z3 m. e* Rint41handler ENDP P# J- O B% Z5 W; i4 N! d% _
5 {) `9 I- @% t: W7 c
5 P( J7 Q) ]0 O3 D: g% \+ R' y- O
xor ax,ax- Q3 h* S' Z) m r
mov es,ax- i7 ^6 n' ~) F0 h& M1 w, d
mov bx, cs1 E( l1 ~4 L+ L- @6 D- q# Z
lea dx, int41handler: N9 b2 D6 G; a& g; A+ i
xchg dx, es:[41h*4]. i+ M3 G. b5 L ]4 M9 P" c
xchg bx, es:[41h*4+2]
2 r9 {$ O$ M, W6 R7 I2 { in al, 40h9 U1 v s) C' J( h) z
xor cx,cx: u$ V+ `( C" d0 U7 `
int 41h
: K( W7 d/ z: i- @9 N, h xchg dx, es:[41h*4]
2 C% a- e' P) m, o! h5 \7 i% e# h xchg bx, es:[41h*4+2] p* M5 d8 C8 g4 T: z& |
cmp cl,al6 P+ _$ D- U& X {1 m0 ~$ ~
jnz SoftICE_detected
( M- C6 C3 u: y1 ?. a8 T
1 m3 V5 U. \* @0 S7 L% E_________________________________________________________________________
4 h+ U! t3 Z( R) k) p. E
/ b& I, h; |' {Method 07/ ~% b+ v5 h4 j3 z
=========
" t' N Q) y/ R! m3 j/ } O
. @) y3 d, F2 F, N; P$ Q. d4 lMethod of detection of the WinICE handler in the int68h (V86): d4 P5 X. w9 o3 D1 a8 J
/ q0 y! y+ N/ {# A; z: X/ X
mov ah,43h
5 }: d0 G: n* G+ C; X; _# D int 68h
( n* _: _/ G9 _8 s9 C& _5 \. y, m cmp ax,0F386h
2 c1 w* @5 |, R: F" @. y jz SoftICE_Detected
" \* v o/ s1 m5 e% P- E
o! }+ N% f* t1 c# Y& x; ~6 [
5 i3 R- `+ G6 q. ]( t. q! R5 ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' j0 {4 l$ q- }9 w& v2 a app like this:
* E: J' |" k4 `2 J1 V9 T h9 h
$ G' z: M! e# w+ s BPX exec_int if ax==68' w4 n2 q: D8 ], m
(function called is located at byte ptr [ebp+1Dh] and client eip is$ Q, I3 l3 z& I: p3 t) B `
located at [ebp+48h] for 32Bit apps)- J- o4 D/ |+ H9 q
__________________________________________________________________________
" R0 S. Y: {: [' r' P, c3 o. P/ }- h
+ S3 u0 @* ]! U% iMethod 08
/ U& O$ r( t3 y" o=========
/ e5 \+ @: @: l' I# G4 [
( r# N! E7 [8 {5 t( yIt is not a method of detection of SoftICE but a possibility to crash the
' n2 @$ |5 Q1 ^. _* e1 {3 ysystem by intercepting int 01h and int 03h and redirecting them to another7 S5 O; {; B( |9 b
routine.& H' P& b6 l p! V/ z, r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% O, J% g9 v v# x2 ~* {1 g. [
to the new routine to execute (hangs computer...)
% B7 P" |* t$ M& M; @ b ^' D- ?3 Z6 p0 A) u. F. _
mov ah, 25h
6 p+ k( o" R% r) u: V4 S, F" d8 H mov al, Int_Number (01h or 03h)
# [& P% W. x! B6 h; d3 E1 e4 G. A mov dx, offset New_Int_Routine% P q: i/ c6 C
int 21h
- B; N* j% B, q% d
, p4 p! R9 e/ Z1 r__________________________________________________________________________6 W" x8 T4 o/ j; J
* g( F, \; l! g2 C$ i( W) |% q, G
Method 09* a0 t7 b4 ?7 p1 m9 j
=========
$ ]* y; Y6 W* `5 D" ~# H0 C; K& Z% }! i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) f3 z- W. K A% sperformed in ring0 (VxD or a ring3 app using the VxdCall).
# ^/ S2 F) a* T' t }. TThe Get_DDB service is used to determine whether or not a VxD is installed# T |# O) F% |/ m
for the specified device and returns a Device Description Block (in ecx) for
+ L* A; B: H& r+ L" z2 V! ithat device if it is installed.
: f1 e- P, G" H' ^9 Z7 R( o& d2 K6 K* V5 a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 s8 k6 ^2 j h6 K$ R! d4 V# d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! b3 A C. Z7 x! J, k
VMMCall Get_DDB3 G2 N0 y: ^9 y7 H! c0 ]4 L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 u0 q$ s2 f" |. a! g
9 h. g: i0 r) ?# y8 S; n8 FNote as well that you can easily detect this method with SoftICE:* E/ O$ ?& a- u! `. a
bpx Get_DDB if ax==0202 || ax==7a5fh
1 p' \7 C# \ V4 H
' B7 X% n% h) }1 p__________________________________________________________________________
3 k$ }# S ?2 d4 s5 R* n
2 F; F5 d$ u0 M8 N! s9 tMethod 10
% x# y2 z& f% L. f% a. ?" o=========) z* v2 w" i( N5 ~
, M. Q) t4 S& l=>Disable or clear breakpoints before using this feature. DO NOT trace with
# q: A# [: [ A B; G SoftICE while the option is enable!!4 n. k- g3 `. E# ~3 J, f
. [) `% {0 G: i# P5 l: ]# w: NThis trick is very efficient:, m ~; d8 k+ Z$ `' r
by checking the Debug Registers, you can detect if SoftICE is loaded
+ E3 Y6 J5 E% C5 C1 ](dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 S- O/ b0 H( z) f: ?; Y+ B1 gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
O& T" L/ I, n' Hvalue (in ring0 only). Values can be manipulated and or changed as well# D6 |) s5 X; M$ I* _$ ~
(clearing BPMs for instance) P4 }& I- B% Z0 |
! ^4 h* G, t& {; Q; }
__________________________________________________________________________
$ d$ x) `7 @7 X! O4 |) I
+ s5 P1 b: ]; N" |% l+ W1 u& N6 @Method 11
# B7 b2 ?8 ]! u=========! y" j' w- u) c/ D3 Z
# I& E {& L2 [4 V* P* \1 f, {
This method is most known as 'MeltICE' because it has been freely distributed
( O: z6 Q' s. _; @via www.winfiles.com. However it was first used by NuMega people to allow
7 ~; Z4 I7 Q( K: G$ M7 E9 fSymbol Loader to check if SoftICE was active or not (the code is located
, I. z3 H* `3 E" qinside nmtrans.dll).
6 {( I- L- Y9 ?7 W. I! ^1 C* ~3 b/ `8 E, D! W f
The way it works is very simple:
% r$ P; I! ]; D1 ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! \" a4 C# m. U! I( e
WinNT) with the CreateFileA API.5 f! _/ d, C- R7 i. z( `8 L0 X
0 e) O. y0 j1 v
Here is a sample (checking for 'SICE'):
b' h" z; u8 k1 R0 ?' S+ B9 b* J1 t( n4 D/ E; c( T8 r$ c: r
BOOL IsSoftIce95Loaded()+ X0 ~. Y2 p& g! x/ e4 L: v
{6 O/ B7 f- C( w
HANDLE hFile; K6 ]% S# ]5 }5 r+ F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! Q% w# N4 u, X9 k2 d
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 ?/ i! S- ]9 ^ ~0 V2 V) Q9 Y: { NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 @1 u! T7 e4 P" H$ X1 o' `6 W* `
if( hFile != INVALID_HANDLE_VALUE )
, \- A$ Q9 Z8 s9 e4 G6 x4 C3 I0 M {
+ w7 J) F/ n9 _7 E4 `8 n4 k) G" n CloseHandle(hFile);
4 P. @. i7 F( o) ?; V3 i; ?; o* M( ` return TRUE;- Z" {! N( G3 o) c4 ^( {
}
$ v- F' g/ j2 G' b return FALSE;" F5 g" G- e; K7 |2 o3 A
}
6 e5 Y& g7 c" P* B7 ~: }8 T! ]. {% W! G
Although this trick calls the CreateFileA function, don't even expect to be9 ^ M( `( a7 |: k) X
able to intercept it by installing a IFS hook: it will not work, no way!
R2 M4 F F1 p+ vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. R2 n( G! l+ N- N; l- ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 H; `1 k F" B. h( @and then browse the DDB list until it find the VxD and its DDB_Control_Proc" o! k- o r1 v4 [$ v0 L
field./ v1 |6 w# _) D$ t2 `$ Z# d
In fact, its purpose is not to load/unload VxDs but only to send a # L3 ?9 k& ?5 E* V& X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. z9 v, q* K( ?2 O1 kto the VxD Control_Dispatch proc (how the hell a shareware soft could try7 g( d" |: n( [- D2 b' E; R; K- D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' `* p; l- {* m7 Z# v! iIf the VxD is loaded, it will always clear eax and the Carry flag to allow' U/ S2 e/ R: q$ p! f! r
its handle to be opened and then, will be detected.! h$ j; J4 ^" D2 O. E$ P- R
You can check that simply by hooking Winice.exe control proc entry point
2 m* ~* s1 I6 J9 _while running MeltICE.
( b7 F5 d( l: W' A2 W- f2 r9 W' i. n2 @ m7 V, q, H0 C: x N6 N
1 |+ G" A) L: C; R* j! V" U/ T8 H 00401067: push 00402025 ; \\.\SICE( x3 O8 [5 e0 }3 h) `8 D3 Y5 q
0040106C: call CreateFileA
/ X3 `* m& e, b) O 00401071: cmp eax,-001% U8 ?7 B b1 f% J
00401074: je 004010918 r7 R( f8 i1 q0 r8 \3 h
- J" t9 ?$ B; }) R$ `. w1 l
7 t N2 q% U. `There could be hundreds of BPX you could use to detect this trick.0 F0 V+ S9 W/ C. c; E* T
-The most classical one is:
, G9 A3 `6 z( d/ n* `4 h# D+ f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 e/ Z0 }4 e2 R% H *(esp->4+4)=='NTIC'5 U* P) O* U. m) P
3 z5 u& V% T, m* t0 o3 G4 `-The most exotic ones (could be very slooooow :-(
" O/ g. l* Q4 ?% ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% u6 B/ t3 d6 D( S! n2 w ;will break 3 times :-(
- W4 |+ Z3 r6 C" h5 z0 ~. {; L7 H, j7 [
-or (a bit) faster: : g# N' j. c7 U4 [2 f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# J" {6 A8 a7 ^: o$ ~" Z q
0 b' n3 p- G5 d7 f: n+ ~$ ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 ?( P4 n! s, A* c
;will break 3 times :-(
$ x f! u5 j; n! l6 d8 \2 j* o) C8 q3 S) W4 j
-Much faster:+ a& I/ J1 [3 ?. U, B- K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': w( h2 s4 Q+ Z* Q
' s# T& ~ v2 x( x, ~( E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, G$ \9 z: ?( d$ X1 x
function to do the same job:
* D [, M: H/ {/ K( j1 \( K$ V( H: I# g7 V5 i2 I' ^
push 00 ; OF_READ, J. B8 [1 F! o7 m+ H6 u7 N
mov eax,[00656634] ; '\\.\SICE',02 P$ ?2 [7 f h4 w7 a. G
push eax7 |8 u/ f: C% ^
call KERNEL32!_lopen
0 Z) B0 A: ]; I+ G' d' b* p inc eax% T9 K' N5 `& l3 E3 j# \
jnz 00650589 ; detected( |( K9 Y; M) |) ^+ F& n
push 00 ; OF_READ/ x1 H- K7 _# K; z3 K! k
mov eax,[00656638] ; '\\.\SICE'
9 ~- C3 B6 _4 m" d push eax6 ?$ l4 x3 J& w5 ~ A, q: k7 D
call KERNEL32!_lopen
, I7 P5 x( Y/ v" \8 t& U! U# M inc eax5 U$ [$ W) v6 `$ w+ I( Q& I; P, p
jz 006505ae ; not detected( @( U& h5 Q/ E n: c. C! d
S" i5 {5 h# |& m4 K. R, L- |. Q O* w$ N& Y% I; S6 D- b( g8 C
__________________________________________________________________________
/ v- o5 ]% N7 N- r3 a& ]! N
: e+ U' O3 {% @4 KMethod 126 l! Z: g/ w2 t( R2 O" H; T' ^; M- l$ R7 ^
=========4 g- D% p2 ~- v* a8 I- @, v2 W
) k; n. D6 e' {! K* N+ M0 }This trick is similar to int41h/4fh Debugger installation check (code 05
. h, L7 b8 T d. j2 \3 q/ Z& 06) but very limited because it's only available for Win95/98 (not NT)& h& {( r& J5 g& I% q7 l- B* s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% N5 D f6 P2 Z* p- J5 @0 ^! F; j3 F( k. \% M. X
push 0000004fh ; function 4fh
9 a) O C# V* b) @ push 002a002ah ; high word specifies which VxD (VWIN32)6 B4 s, {% g' ~- N, \
; low word specifies which service$ R- A/ u& [8 M
(VWIN32_Int41Dispatch)# I. h/ Q1 a* e2 |: k" ?
call Kernel32!ORD_001 ; VxdCall2 p. Q+ v; q& Y% S+ p
cmp ax, 0f386h ; magic number returned by system debuggers3 u0 Y% H! y0 l
jz SoftICE_detected/ ]" G! B, p. V' [3 O1 g% d ^) z2 _
8 h- k' Z1 F/ `( b8 p; h/ ^
Here again, several ways to detect it:; u W1 N6 f% `) G7 _
, O% T; U1 C! k2 w2 @) B
BPINT 41 if ax==4f
9 I2 ^3 n1 E. P5 y
" k7 {$ P8 l; G: ~9 x3 k4 }6 g4 ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. T \! r+ D$ l2 O' C* }& n
/ A! j: ?" ]; l& i2 } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ U. c2 ~; w6 `! b! q. n* w
+ r( S M+ v2 f# z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 q% h, r) _. k+ D$ N- q
! o9 @( v! k5 k, f$ w
__________________________________________________________________________
! y8 J; Q" l2 L) p2 _ M' G4 j- ?0 q- C+ }7 V
Method 13
; r$ n: U6 K* W! E=========
: s1 `' M0 y1 }& T6 j2 E
: d6 G$ l( p4 |Not a real method of detection, but a good way to know if SoftICE is! N( t5 D5 Q$ s
installed on a computer and to locate its installation directory.2 l2 Q) V: O. M' g4 m
It is used by few softs which access the following registry keys (usually #2) :
5 y/ H( o5 Z i5 E
2 E* ?1 d# ~7 W# L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# Q1 v& F. E7 o6 o9 K
\Uninstall\SoftICE
+ D6 C, j- l7 g/ [0 F3 K/ r+ O) `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* Y0 P$ K' ?& Z) N7 q+ j5 W( J; `: |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 P; F H% @- g\App Paths\Loader32.Exe
' N2 M1 e# B: X+ [7 u, A
/ i: k: `6 [& G7 u
3 J- m1 Z) A$ M/ C% z B8 R9 y8 ~Note that some nasty apps could then erase all files from SoftICE directory
/ D' i6 T! U1 U* q(I faced that once :-(
0 p4 D9 l8 A" r1 x
& s: x' \. S# E! \Useful breakpoint to detect it:0 \: F# F, C4 Q8 s# e/ C
2 D$ {' o& d( j- l0 T$ V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ ~" {% {$ i% k( k( J; A* v3 `& L/ }/ F: N3 J
__________________________________________________________________________) b* v" R5 S* _# p" E1 Q
, H ~. @+ }7 e8 u/ V5 G" k8 k$ x7 Y4 D6 R
Method 14
% N% ?9 q# B/ X% @+ X& V=========7 l2 S- c9 d: n8 K' \
4 Z! Z0 M0 Q e' C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& D7 f8 c8 r. Xis to determines whether a debugger is running on your system (ring0 only).! A D4 x2 @! l) X1 G' V$ G
6 t4 r3 L# ~) d. ^# V- z! D
VMMCall Test_Debug_Installed
8 K4 Z# l% {8 \0 j$ P) H je not_installed% W! r* i [. Q. }
; W9 w: ?1 \0 y5 S, V4 T2 _* [
This service just checks a flag.
3 n& E5 Z0 A3 p6 q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡