<TABLE width=500>* [/ i! w7 i+ g [$ E
<TBODY>$ ]; _9 V/ q( n( I
<TR>
% s1 k3 D7 x: e; ~; {$ ]: e<TD><PRE>Method 01 5 [5 I# p0 j; n
=========) A7 l, I$ ]8 E7 N
, c+ \( z) f6 v, H. L
This method of detection of SoftICE (as well as the following one) is
$ l* X4 X! u- Y: k: O" x' Qused by the majority of packers/encryptors found on Internet.
+ ^3 N$ k) u" ~$ P- HIt seeks the signature of BoundsChecker in SoftICE
2 b3 }6 z7 Q3 y4 G7 J$ a. M4 M' o8 `9 g7 }/ t7 \" Q
mov ebp, 04243484Bh ; 'BCHK'7 {5 B5 t: M( V; @) ^4 g& I
mov ax, 04h
4 @( {& Y) f2 z6 {% D; F int 3 / R- @: U0 t) F* @
cmp al,4
' N" [; b( e$ K4 m& E7 u jnz SoftICE_Detected
4 @( ~# C7 i# g1 R% g1 S# n2 Z& l* I/ w) b7 A; ~
___________________________________________________________________________
# A' h% r( C9 E" A! z
7 O5 t, H- b% \1 @' `1 J$ yMethod 02
: x; E% A I3 p7 u1 Z4 ]=========* w* z2 _& d; J+ b6 {3 M. {
( u7 k# S6 O. Y2 P# [$ B" n: u) z' PStill a method very much used (perhaps the most frequent one). It is used
- X' t9 H; M2 V# Q8 D* M1 B' V' sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( _$ W7 @# A' q# ~2 {. Z6 p
or execute SoftICE commands...
* t2 q! N2 E6 h- G+ }It is also used to crash SoftICE and to force it to execute any commands4 y( Y8 \6 c! ]$ R. x4 e+ M- ?
(HBOOT...) :-(( 8 j+ x! b: D j
( ]7 M' e# D4 S* M$ p2 Q4 Q8 V! zHere is a quick description:% S( {7 _( y' A$ F
-AX = 0910h (Display string in SIce windows)# l. Q, ], @0 [" L' Z1 r% R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ L6 ~; Z+ f1 k; C K) A-AX = 0912h (Get breakpoint infos)
( n* F' t- ?. s; q( X2 `9 F-AX = 0913h (Set Sice breakpoints)- `+ T: q/ _: ^
-AX = 0914h (Remove SIce breakoints)
& g2 B2 `& o% z( o3 Y( P
3 l+ K4 B) k% b7 Y+ B* ?" pEach time you'll meet this trick, you'll see:1 I6 L1 ~5 B4 @) ~7 f3 K
-SI = 4647h
4 F" `5 Q# R& ?: Q k-DI = 4A4Dh
9 ~) u5 f( n3 L; ]( B8 L- U& j, aWhich are the 'magic values' used by SoftIce.
0 z0 m- p8 q/ g0 T1 RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 O3 T( N& E% W d( y) L- F
1 i9 E% T9 f1 G1 U* x* rHere is one example from the file "Haspinst.exe" which is the dongle HASP) f7 I$ f$ Y2 w8 b8 s. a" b
Envelope utility use to protect DOS applications:6 b0 Q" r0 d+ q# b
$ P( i7 H) ]: W% Y) K- u/ Q+ K+ _
4C19:0095 MOV AX,0911 ; execute command.1 A! O& F0 W; h6 u9 r$ L4 w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- m; G+ i0 W' N) Q4C19:009A MOV SI,4647 ; 1st magic value.( i$ r! ~: ~8 [! I4 f- G( b" G3 d
4C19:009D MOV DI,4A4D ; 2nd magic value.+ }9 N' W5 v$ \$ v% Z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# u7 W9 w S, y% D9 ?; e* l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute X9 x4 @0 B! A1 k5 j2 f5 N
4C19:00A4 INC CX
2 w2 m$ I) E0 j2 O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( D0 Q6 f) p7 E, H
4C19:00A8 JB 0095 ; 6 different commands.
' N q& q& B# X; ~! u4C19:00AA JMP 0002 ; Bad_Guy jmp back.& h3 s- B5 Q% t( P' m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 k7 V* J; Y% r% H& y! U6 \- g! l; z9 s3 V* G; k5 d
The program will execute 6 different SIce commands located at ds:dx, which
1 z/ ?+ b$ a8 e) E) j/ Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ e) S, f& m6 d
+ M+ l) R4 I) g2 Q, q4 J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* |8 H: o [7 D" B N& R___________________________________________________________________________ g* w7 n6 w$ X- B' c% U% A
* V" p* i+ ~' }( e0 {! \; t& h9 M
2 | q2 h* A* C, _; R" tMethod 03" X6 L, Z. ?$ l: g. g
=========. L8 e" E4 ]( Z% J+ d. _* w
6 q+ x# ?, g8 _" g0 jLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) B q" Y) p: [. q; x
(API Get entry point)
, f8 r9 J& G! e$ h6 {8 |5 e8 O+ Q7 T 4 B+ p3 N! ]7 I. j! Q
- |' U$ A/ T( C% Z# N: @3 V( v
xor di,di/ H& ^ z: u z( |" I$ U
mov es,di- u. v' a& {# P+ y+ u2 c9 l
mov ax, 1684h / a. f7 d, h }; t
mov bx, 0202h ; VxD ID of winice
- [3 G3 }+ A2 H9 J5 T9 G int 2Fh
3 K7 p9 `" k: s8 w8 _9 z mov ax, es ; ES:DI -> VxD API entry point1 P a! r/ e3 O, K- n0 m4 ]4 y3 ]7 A
add ax, di' j. Z/ a; a4 g- ~& f
test ax,ax
( \. t$ x* H) Q jnz SoftICE_Detected
' U5 b8 Y6 I5 l& W/ H: Y7 g6 h: ~( {) h' W3 D- y/ ^
___________________________________________________________________________, I/ @) J( @- K7 G5 X# b1 k* ?
* i. e: x6 h' h4 NMethod 04
1 l6 N) R& z% l# K) N% f=========
1 b V( @; p$ r9 ~9 m+ I' c' _" f; f' \) N& {* _
Method identical to the preceding one except that it seeks the ID of SoftICE/ ~: i: ?& j% L5 }4 @
GFX VxD.
% {/ p/ s4 M& A7 v0 c3 Y/ P, b5 R1 L+ V2 `4 A; b% R
xor di,di
6 X& C& [; R' S H; A+ s mov es,di+ d. N' y" t, e$ }, R
mov ax, 1684h
1 Q1 ]% U2 ?2 l mov bx, 7a5Fh ; VxD ID of SIWVID
- m( y( `6 r/ E" `# x& i: f int 2fh8 J+ x$ x/ C- Z% e5 u9 }+ X
mov ax, es ; ES:DI -> VxD API entry point( }2 n+ G( H8 x; X4 S
add ax, di
# [) p9 G5 y; y, f; y. Y* S# ? t test ax,ax+ I' k9 [/ p. l% n
jnz SoftICE_Detected, a4 x# @$ P; x0 Y: a
7 [0 {# |7 d5 }( _# O
__________________________________________________________________________
0 S: m- ]8 D/ m: t# v
% H' {, }. [; m) B% E! q
1 D4 @" T; h; [6 W0 x% PMethod 05
4 S* e/ X3 o4 Z5 n=========7 @1 a8 W7 T9 U' R) B! d
9 `: Q2 i y7 w/ i" |Method seeking the 'magic number' 0F386h returned (in ax) by all system/ M# @/ L' H, i" B* i
debugger. It calls the int 41h, function 4Fh.
' E* o5 P) k2 }6 M( q: i* \: y# KThere are several alternatives.
! _* |: b3 C o' m* ^, p
4 X2 b- `, v/ q; c+ B, gThe following one is the simplest:
; i) P# [3 `, H f2 z9 ^6 R" L9 U8 l+ m+ k J! R% u' M
mov ax,4fh
! m5 g/ H2 o9 y: P7 U# |8 J0 k int 41h
, P9 |3 s( N: u cmp ax, 0F386+ j! o" T/ c+ _4 w: z" V* o
jz SoftICE_detected
7 Z; j3 }5 h. l
3 u8 `% d' w% Z0 {0 @/ u4 D' _: t# d% N
Next method as well as the following one are 2 examples from Stone's % k1 G) P5 x+ ]6 `, i
"stn-wid.zip" (www.cracking.net):
- ]) m0 n7 r- M
4 w5 T( l# y5 h6 f" x& I5 ? mov bx, cs9 Y/ x; L* w2 p; H: ?0 U6 j* _
lea dx, int41handler20 O+ k+ |" i7 O& L v
xchg dx, es:[41h*4]
& v+ p9 W" n) g; b; E! f xchg bx, es:[41h*4+2]* ]4 v+ e: o4 i# h- g
mov ax,4fh1 V& H, E( ~. _, O* ^. x0 \
int 41h' L$ ]; X& h- \ K2 F' {
xchg dx, es:[41h*4]! i5 Q+ H# ^% O& B, n- f+ T
xchg bx, es:[41h*4+2]
6 d( O1 I/ a7 g3 j+ ]8 n ^( g cmp ax, 0f386h1 w& i* ~# {5 ]0 L2 |3 k' d9 N5 C
jz SoftICE_detected( H1 z2 b! C6 ~
$ z( S' F3 e( l; o3 k+ Hint41handler2 PROC, X8 S8 @& {3 y( q: K! S# Q: }0 Z$ p" E
iret
& v2 f! `4 I0 }7 ~% ?int41handler2 ENDP0 E M) r3 ^9 h( |3 y W+ i3 _& {
. R. @1 a* m$ q
0 w/ a* y o' y* m; i_________________________________________________________________________9 g- E. R4 y$ u
P. ]# n. ~" L! j1 D& I3 [( {5 |4 \% L A' [9 S; @
Method 060 V. z5 G4 R. r4 ~8 G, `0 h
=========0 A, Y! ]0 h. k1 m7 D0 y
$ @# H o& j$ K& E; W# y% n
" p* }0 O8 K9 f; r+ d. a
2nd method similar to the preceding one but more difficult to detect:1 u( P$ z* E v0 e# N& m
5 L9 E0 \- d8 v5 K8 C2 X
% @) u$ S# g/ p2 o% p; P$ e& h
int41handler PROC- |6 c$ G( Z9 N% ~
mov cl,al* H$ \4 g+ c# g6 @0 ?; ?
iret
0 _: C& Z; B" t' ]) t' `* rint41handler ENDP
- I0 x: J. K! J- @7 ~
( S/ M7 o+ n2 l' K9 K( M- i: d( [5 N3 e! ]
xor ax,ax
8 q2 @- q; J6 m1 g$ ]2 R: j% V7 I mov es,ax
$ T1 s% H) d& q) X mov bx, cs
' ?! ?/ \/ d9 w$ T$ p; l% E lea dx, int41handler
7 h; [0 u7 Y) p3 @# b* o6 _ xchg dx, es:[41h*4]
$ |9 v3 O a2 m" U& G xchg bx, es:[41h*4+2]
( P& G0 }$ d' |8 x6 d in al, 40h
( U0 R$ V7 u( d2 `, I xor cx,cx: t* a3 d9 S. f! F; F
int 41h6 z: R- v3 T; J" F! S( M5 X/ X
xchg dx, es:[41h*4]
% [# k3 L# |* S9 S4 C# d( y xchg bx, es:[41h*4+2]
2 ~0 g( V) x: T8 }1 m5 u6 j cmp cl,al/ e& Y1 b9 z; }) X
jnz SoftICE_detected' {7 V; g. G6 c6 R6 \
, y; B+ j2 }9 s6 g_________________________________________________________________________
3 a# u% Q5 Q' f4 }5 S' S! I" y9 p9 ~- s k/ O: [! L! h4 Q
Method 07
% n# k: S! x+ ?3 Q0 }=========
4 P2 n( j2 _! u8 |7 ^7 @7 L( i9 s$ R7 e% x$ G! i7 K# T
Method of detection of the WinICE handler in the int68h (V86)) b8 {6 K7 o$ R3 g) A6 Z. B3 \
2 S* }: |8 F# `4 O4 a3 K mov ah,43h
+ }5 ^. @ B" G$ {4 u5 s; t1 { int 68h
7 L# [: I& w2 i q- P* k cmp ax,0F386h
; m+ f1 j8 N# B) I jz SoftICE_Detected
! C' S9 G: R/ F! E4 d, }; T! ]' u' F+ Y% x) b
! a C3 \, N' z- j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ i2 r0 ?- z" S; u. B2 M
app like this:
2 Q9 y! F/ z% l! |! r' ]2 h- D
& c1 g/ s/ ?) I% T. ]2 Z+ v; ]1 Y! B BPX exec_int if ax==68
" \# ~6 O- l6 j (function called is located at byte ptr [ebp+1Dh] and client eip is
- X$ d6 U: h* G! l( j* Z/ ^: O+ f% z located at [ebp+48h] for 32Bit apps)
" ~' o' ^! d! }! P7 y5 g# }& Y__________________________________________________________________________
, I/ D5 R0 `! R* y, x
7 A0 w, r8 E# U5 ?7 ?% f$ a( B8 ]: u
Method 080 N7 `: j+ v! j- T8 N: A" n
=========
0 A( I3 a1 k" e* _6 _# s' d6 N: p3 T, Q' {+ I S) F/ f
It is not a method of detection of SoftICE but a possibility to crash the# X* N9 I- o! }) H
system by intercepting int 01h and int 03h and redirecting them to another$ n( h0 H- _# \4 f. b& D- C
routine.
4 c$ n, Z4 ?& c0 y% WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" A8 z" {0 k* T3 W; u/ Y
to the new routine to execute (hangs computer...)
; U3 S4 T: u) n
1 E! n5 A+ Q! C# [! X! O4 ]8 L mov ah, 25h: Y. f% u( Q# o0 T v* C
mov al, Int_Number (01h or 03h)
3 l: z" i4 y2 }3 g f5 I- f. U mov dx, offset New_Int_Routine
0 h4 v- J$ U+ [" |8 D. N int 21h# X9 A5 N [" M$ z: ~
6 ~( C0 F5 s( J6 j! Y
__________________________________________________________________________. b, r0 s' Z$ x0 c
, q* N0 z9 J' Z) v0 {5 D
Method 09
% [' Y5 S9 p1 d( X; u=========
/ b: g. H+ D" z- k! }
' a7 j! h/ b0 q$ m- V$ @! iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 L W+ H- }9 r1 {( o& |. r, `performed in ring0 (VxD or a ring3 app using the VxdCall).3 R" E: \7 E( Q1 @ d! n
The Get_DDB service is used to determine whether or not a VxD is installed
9 T5 r) H/ T' V/ L) U' H9 k$ ~for the specified device and returns a Device Description Block (in ecx) for
) Q3 s4 P/ E# D& G9 Rthat device if it is installed.
) C6 ^+ z P. [4 K- _" o. ?& w0 l% k2 c" A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ [' k6 ^/ P+ u+ y3 v' D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( Q* H) J8 n; B5 f0 z% r
VMMCall Get_DDB% H( g8 m8 e: P6 D0 Z3 G, f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 V, ~6 ?8 K7 Z/ o+ ~
% u) r; O. _0 n/ e4 {6 e$ yNote as well that you can easily detect this method with SoftICE:
2 I, L/ e4 S, S# l( ] bpx Get_DDB if ax==0202 || ax==7a5fh
# q5 ~$ \4 H6 K* v' ?( s& c! `' p. n2 B* d# \5 w0 k, {
__________________________________________________________________________
& Z; P% k' b7 x- U: t- N. |
6 O9 [$ n$ f o/ l6 _Method 10% p2 P$ [1 Z; z# `
=========
7 e; s7 p0 h v. `7 B! F
) B( ^6 t: n' K9 q3 o/ \=>Disable or clear breakpoints before using this feature. DO NOT trace with/ w3 R* N3 I5 r6 C7 d4 V8 V# a4 Y
SoftICE while the option is enable!!
2 C! a9 S0 ^7 h2 u+ ^# H/ l( s3 ~2 ?1 E" W- d7 ~* B% E& y! V+ R% n
This trick is very efficient:" M* Z. \2 U/ k' o. U
by checking the Debug Registers, you can detect if SoftICE is loaded: e5 w# }9 ], r0 X' [3 g) H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& y+ m% S5 j2 L( c, S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 z) w, N, m( U! C0 \value (in ring0 only). Values can be manipulated and or changed as well
5 D, k' J' O( L1 j7 S) V(clearing BPMs for instance)5 n, V5 J; f5 @0 W
7 ]# Q. k b: k! e4 v
__________________________________________________________________________- T, [; G, u$ @9 ?# M
% x( p. W& i7 F8 I5 G+ {- W
Method 11; v- \8 o6 K, p- ?8 j' T3 H
=========
2 f e! r G0 o7 e p3 ~9 c
2 I0 |- F. w6 v) j! i+ F! mThis method is most known as 'MeltICE' because it has been freely distributed* u7 W- U" `* L- A- R9 b
via www.winfiles.com. However it was first used by NuMega people to allow
; M! l1 U# y5 e4 {Symbol Loader to check if SoftICE was active or not (the code is located( u R2 [. j5 U9 O u
inside nmtrans.dll).
. A0 A7 H7 q; M9 I* l# R4 R9 i7 P- L Z @
The way it works is very simple:. t* u! s E2 L. W1 \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ l# w- @0 T) A0 l
WinNT) with the CreateFileA API.
9 }+ L1 e9 O: L a# h
+ w4 ?5 ~" l) L4 i0 WHere is a sample (checking for 'SICE'):
! t1 k* [2 v- g8 m" n9 E
% E. L' X* z% V' \' y9 m% a2 P' O% sBOOL IsSoftIce95Loaded()5 ^% p: d5 }7 w6 | [4 R. L* I
{0 G! {7 {0 _- T; h
HANDLE hFile;
9 _) J6 T0 n, k, e$ X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ _) }2 N$ [" q1 A
FILE_SHARE_READ | FILE_SHARE_WRITE,: n9 o+ c6 c. }; H+ s" g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
R H" p* r$ ?: I7 ^ if( hFile != INVALID_HANDLE_VALUE )' y R! y1 m2 X0 [$ ]0 B0 H2 R
{: I& U8 i: D' c2 N& }. e7 n( X
CloseHandle(hFile);7 B& }0 j( R, k, o
return TRUE;
+ v$ u1 r- P* l1 v) Q: }6 J u! Q) I1 S8 ~ }. n2 O$ z# f, v1 @( W# n3 q
return FALSE;& }. U" w1 U, n( c1 P4 n
}8 x9 O! q, C0 _& L
* L$ Q7 h; B' A) S# d
Although this trick calls the CreateFileA function, don't even expect to be
, e' W1 u0 S; J/ H! b, Q, Lable to intercept it by installing a IFS hook: it will not work, no way!) n* e8 \5 m4 I: F" t3 y& t9 i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; x- {1 ~9 w. U& v4 P; x. ^+ n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ V8 q: W: N: A5 a0 k' @7 rand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ D A8 s% `* O& o3 D
field.
% ~5 }' H9 c" p! oIn fact, its purpose is not to load/unload VxDs but only to send a * d: m* l8 e) q( B. V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& u! r( ` z# ]5 r I* ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 c5 \/ g% f+ y6 E5 G+ `to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 @0 l* l" I! H* k5 S
If the VxD is loaded, it will always clear eax and the Carry flag to allow- R" n: H! c: K# U
its handle to be opened and then, will be detected., i) P- S! I- ]2 I7 [/ G( W
You can check that simply by hooking Winice.exe control proc entry point( l. M. P# O; j/ V" F" C# s5 w. B) q
while running MeltICE.
/ ?5 G) u y5 y$ G# O/ A
( c/ y) w' V8 ?* @ z$ ^7 c. H+ Q" _0 j. I1 u! n
00401067: push 00402025 ; \\.\SICE% l$ I6 @5 l( ^& J
0040106C: call CreateFileA- F7 F4 h0 K8 X, p3 N* W+ o
00401071: cmp eax,-001
; r! j& E; M- M 00401074: je 00401091
8 D2 f, S. r4 c: t
* v2 W% Z3 K; k/ ]
. j0 p2 o) Y2 m3 @ P" N' MThere could be hundreds of BPX you could use to detect this trick.
( `" @+ A5 F u8 M h-The most classical one is:
8 [& m9 u( n9 { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& G1 c) \) e- @
*(esp->4+4)=='NTIC'
4 }& X: _9 c6 Y+ M6 Z: e2 K& {( w( k, @: {" c2 d
-The most exotic ones (could be very slooooow :-(
. \2 K' {3 j$ m; @# l BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' G& A9 }, ]1 w ;will break 3 times :-(
( s0 G, y# c$ ]3 K0 ]( X
/ z4 o* t7 D1 w- U9 Z* {-or (a bit) faster: & e& z+ y; V% b1 T$ o' i i. j6 |
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ [; C& j& B+ d7 u9 _- s5 E6 u/ e, ?* `3 n% s
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 p! ]2 T& q6 T" {' v# A ;will break 3 times :-(+ G% k3 |9 f# H8 }4 x
* k* ?' X! j" g$ N2 E& S
-Much faster:0 z; q* F5 V# W, a* Z4 U! t1 s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# O% u- q: K% a! S
0 c4 q+ E3 {- b& uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' z3 u% \9 B& u# \function to do the same job:6 R' r" }4 X: f( i
& @+ u! U! y$ W( I! C: K" _ push 00 ; OF_READ+ \, i# D7 R- ^0 ~) K
mov eax,[00656634] ; '\\.\SICE',0* Y* B. p9 f4 c4 @
push eax
- q( N- M0 u3 ?9 v' I+ k8 j0 v call KERNEL32!_lopen8 T. @4 U% P) m# s' j
inc eax
6 h M! i0 m, C: X; N jnz 00650589 ; detected" D2 M0 ^9 p" v: k& i% H$ L! Q
push 00 ; OF_READ
1 _# w2 o- ^! N mov eax,[00656638] ; '\\.\SICE'
+ O8 B, }/ X& f# g% R! \) U push eax6 R3 d1 \$ v0 I) C. k4 I. g
call KERNEL32!_lopen
1 n6 u% B) K8 ] inc eax6 k' N! H$ h9 K" [2 K, w: c
jz 006505ae ; not detected. d4 a; k0 P. Q0 t5 T7 A6 A
' o9 M2 J0 ?8 ]$ U0 G$ u
7 h2 u, s* H- X8 L, H6 F4 n__________________________________________________________________________, P; `" N5 r0 t8 c! ^
2 }) E2 Y, H* u8 c2 R$ x
Method 12
; K& w$ N% s, W+ ~. g8 ]=========! c# x$ Q, K) \$ M
1 } z9 S' u3 ], ~3 Z. Y& BThis trick is similar to int41h/4fh Debugger installation check (code 05. W8 ^/ y7 H1 @
& 06) but very limited because it's only available for Win95/98 (not NT)$ h0 _- ^/ o' l% G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ d- `7 i( V2 X$ b+ E) a* [
% t% Z: \% D% O4 ?6 W2 \* ^$ C- M- R push 0000004fh ; function 4fh
$ N. T' p( o" ?5 o) d/ C push 002a002ah ; high word specifies which VxD (VWIN32)
; J ]' H- C& D2 G$ B; I# N n! i* I ; low word specifies which service! y" \5 b1 D' b& `9 A o7 r
(VWIN32_Int41Dispatch)# x" M/ k5 _) s8 O3 A
call Kernel32!ORD_001 ; VxdCall
J- M4 b; d9 F2 i% ?7 C cmp ax, 0f386h ; magic number returned by system debuggers
5 D' r* A7 H2 J# { jz SoftICE_detected! {) P E1 H" v/ C
- H2 z- o/ s0 n6 e
Here again, several ways to detect it:
; J! S0 v( `5 l3 m& z$ J
& l/ ~# ~. R& b3 U$ ^$ E BPINT 41 if ax==4f
) a% T( M; P: D) E+ r4 y4 \: ^$ X
. q" ]8 h- L' C! g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# H- h1 r( C1 L+ }! n" E
% F! d: Q+ T: c3 `( W9 t' K5 e5 M
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: l @! j. a! j4 W" |5 q
3 @) b$ E4 V8 O9 J# C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 k; D8 F; o9 D6 g
+ T- u4 W9 f P% Y; x: t/ Q/ U__________________________________________________________________________
% k, \' {- r+ C5 \& R2 V
, o* t7 V7 a/ U+ mMethod 13
$ W4 F E; _; R6 x$ u3 U$ m! l* m7 ~" }=========& y: x% w" ?' ~4 L
/ y Z6 Z! b1 O, J: X4 n
Not a real method of detection, but a good way to know if SoftICE is- N2 ^& w+ J; Y) {
installed on a computer and to locate its installation directory.
0 G) G/ j. d/ C N uIt is used by few softs which access the following registry keys (usually #2) :$ z4 n+ T3 S8 L+ z: X
! q$ x5 \2 }- z @3 a8 F3 a' b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* u8 H* ~9 h9 x( t/ a' a0 A5 X3 D7 u\Uninstall\SoftICE6 h- H3 w: |: R+ ^8 g0 l: o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 e) ^# U/ x: u/ P/ t3 X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# j7 ~8 A+ k$ E8 ]
\App Paths\Loader32.Exe, M7 p$ o( }! `# q: v. v
9 F* O- P6 ~" G5 y7 s4 P/ P8 p6 E
Note that some nasty apps could then erase all files from SoftICE directory
) i0 }6 L* m" @$ ~/ t0 y& v7 R# r(I faced that once :-(
7 z: p- a- p; j3 I' o% H" |6 _# D7 S3 ?& T: S) a3 C
Useful breakpoint to detect it:
6 ]8 J) o$ Z! ^5 ~9 ?
; @/ R) Y2 C" R; j# \$ {0 c* \# f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( F( p6 H5 u; g/ |, s6 d8 L f5 ?1 q
__________________________________________________________________________6 b7 {0 C& ]/ _& k
0 o0 C0 M- _* q9 t) y
5 l# C( E, J7 P8 |Method 14 2 ~: Q" N" y# |
=========" l" a* j! i) ]9 g
/ [ I9 R% p4 q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% t: z* j, a' g- d
is to determines whether a debugger is running on your system (ring0 only).$ z; g5 Q2 o4 g& Y. e; Y
7 I. S% a" C( H
VMMCall Test_Debug_Installed" H) L: e# T- d T5 S" {& V2 H K
je not_installed
: S. k2 {6 e, M# x* Z$ u2 y- R
. s8 q- R# a1 \4 _2 T6 @3 DThis service just checks a flag.
& i! E$ V/ v S5 h</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡