<TABLE width=500>9 _! a& H: i$ }% ^; G3 v0 Y
<TBODY>" {: c& G* W/ P: L9 j9 c
<TR>
% v# N0 d: F$ E4 ?( l<TD><PRE>Method 01
! V" n6 [, Q7 w+ `8 B* W=========+ p' E7 T7 I$ U( K, n$ u
* N, c' j) _3 ^This method of detection of SoftICE (as well as the following one) is9 X8 z' @* G) v' s! t
used by the majority of packers/encryptors found on Internet.
. H; d# a7 V7 D' M5 O g8 d! rIt seeks the signature of BoundsChecker in SoftICE
3 A) s9 \: ]6 @6 O
8 R- I( e7 b6 m! y7 } mov ebp, 04243484Bh ; 'BCHK'
. i% z( B+ i! T3 e0 S% I mov ax, 04h- Z4 C) A3 U9 h0 r
int 3
5 X5 |5 ^" z+ I; s cmp al,4
* k: t- F' E0 P' N( ^% R# M [6 [3 e jnz SoftICE_Detected% A3 }3 U2 k, f/ W8 n: }
8 S0 Y; U) H" J" p- s( @) o
___________________________________________________________________________, ~* J( k9 ^4 P+ A
" [. `: M3 l7 _3 g9 w4 g" o) v) Q
Method 020 r8 q- ?5 @3 f! f
=========
9 Q, y+ x4 Y, M: n' K* ~' c$ a1 C
1 f: b- R- u& H: V) \) @Still a method very much used (perhaps the most frequent one). It is used
4 x! j" v. m! Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 M( k. x* Z, {& C/ c
or execute SoftICE commands..., J$ k) B! K: o
It is also used to crash SoftICE and to force it to execute any commands* u0 L" L& K! N1 ~) P" | u: _
(HBOOT...) :-(( - c6 ?9 @/ N/ O3 J
M- O3 e1 h1 A v7 b1 w# vHere is a quick description:
8 O6 [) b- }3 E-AX = 0910h (Display string in SIce windows)8 f+ K d5 _. F+ }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 E* r- S/ O) n+ }' \0 B) @$ O0 {-AX = 0912h (Get breakpoint infos); G! p0 e9 e" b' p" S
-AX = 0913h (Set Sice breakpoints)
9 ^- \; O+ G: ~-AX = 0914h (Remove SIce breakoints)
, x" V* e/ j9 M- C& E7 ], I, F$ m$ r0 X2 Q! J1 U7 s
Each time you'll meet this trick, you'll see:! s2 S0 W3 _4 \( ~
-SI = 4647h
) q2 ]8 `: R5 n8 B-DI = 4A4Dh
; t2 |& Q' O7 a# l& Z& Q; \6 xWhich are the 'magic values' used by SoftIce.
* D' o7 O3 R- a( {+ eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 i% L+ e4 e' V- U; _! X5 @
?' \6 ] v% |7 sHere is one example from the file "Haspinst.exe" which is the dongle HASP
% m2 f0 f7 h0 l& w/ q6 qEnvelope utility use to protect DOS applications:
6 s0 r6 r- p7 n$ _+ J
: [! P& G/ |6 ]( e
& S5 S- Q" F8 J+ M/ M4C19:0095 MOV AX,0911 ; execute command.
5 T& T7 ]0 I! c. q L! W) J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 ^7 {; C% d0 d4 B
4C19:009A MOV SI,4647 ; 1st magic value.
8 U" I$ ^1 j* s Q4C19:009D MOV DI,4A4D ; 2nd magic value.- r c: Z) L; X: b) y+ `$ Y( P! ~" I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 Q, u3 s- N6 y! V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 ^! ?; d" a! X6 `
4C19:00A4 INC CX
4 v: B$ c V2 v. t0 X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute ~0 X8 E# `# t7 b6 z( T o: p
4C19:00A8 JB 0095 ; 6 different commands.
4 L' M- D* r! q6 v# X# e9 _5 T4 C4C19:00AA JMP 0002 ; Bad_Guy jmp back. l, g% O2 O: c1 f6 x# b1 R
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* L( b8 l! _3 ]0 L; q0 }
4 T4 \2 n4 \3 g6 m# u' ?The program will execute 6 different SIce commands located at ds:dx, which0 n; O- H3 s1 j0 J0 v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 J8 n. y! ]2 o J- w2 |6 q+ N7 j1 u; F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ ~- l, {: m6 ^1 |* c) V, s1 @___________________________________________________________________________
+ `8 |$ p8 ?4 v7 D4 G- m0 W8 l, A" U, U
; X W' U0 r3 ~2 Q2 F0 |5 O# ]
Method 03
- u; \# j0 ?7 b1 P- B8 E1 G=========
0 r8 M0 ^9 v( P' ?/ `9 }( B, Z) E' E2 x7 y! [+ Z7 S
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h {' _8 @: Z( I6 i
(API Get entry point)
: r& |5 c8 m; G& H) n* U ; m" ~) z: B4 n, W
$ A: U3 F9 h* A3 v6 n. {; ^
xor di,di
/ T9 y& |) a( e# Q" p9 g mov es,di: ~! ~1 a8 b8 {
mov ax, 1684h 6 k8 H& _+ |% s& k8 V1 ~# Y
mov bx, 0202h ; VxD ID of winice' H- F) e$ a6 g T
int 2Fh/ X* Y- e f ^) Z
mov ax, es ; ES:DI -> VxD API entry point
- M2 e( G" \' b, u add ax, di
6 Q# ~7 o( o7 G$ R test ax,ax
( @- c5 g! Q8 [8 \3 Y jnz SoftICE_Detected/ l0 p: A; Z; M& J9 h
+ N# I! h V- _6 r$ W___________________________________________________________________________
3 }+ ~$ ?2 [- ^" K6 F
/ R6 A- ]$ V( c) F2 T% L" {( f, t9 }Method 04
4 z" J* S4 {6 D7 C& b# y=========
+ \6 N* t5 S! `
- A5 R3 R5 Z/ m& I7 ^* WMethod identical to the preceding one except that it seeks the ID of SoftICE2 j1 a) e5 Q1 z2 f( B8 ^7 H6 C
GFX VxD./ M. J! r/ F+ `& l9 I7 t
9 Z) l' d/ A; @ Z xor di,di m+ f$ v6 ?4 E# a
mov es,di
/ e- l }1 ]" N' V mov ax, 1684h
% ~6 Q3 `0 h: t, J mov bx, 7a5Fh ; VxD ID of SIWVID; J" I! t% Z8 A* b( w, H% W
int 2fh
# Z5 m) u( W* H; j( h) y mov ax, es ; ES:DI -> VxD API entry point
7 Y( b& |1 H. X, Z% B) S( B+ y( g add ax, di$ o1 Z6 o2 z0 m" _6 X
test ax,ax
9 W! {& l; T5 M, s jnz SoftICE_Detected
# v. E4 |/ P) h( B9 L9 k9 Z5 I' a4 b' E7 Z. _% v& @6 Q! w1 [2 r
__________________________________________________________________________
8 P u) C. r5 w' l% X, ^$ c3 ]+ {0 _5 h3 B) J+ v
: L9 @9 k- C, x: f( e d. A2 |Method 05
; B' C8 i }+ A7 N1 G=========7 L; B& j, d: y7 Y3 `# [
, r3 K, l M7 {4 F* u4 zMethod seeking the 'magic number' 0F386h returned (in ax) by all system* O8 \4 o7 ~( Z9 b# O
debugger. It calls the int 41h, function 4Fh." n; ]* T7 x3 A
There are several alternatives.
% ^3 B4 \/ _+ v4 l$ A, |. i. A9 x
The following one is the simplest:! s: l; v- ]7 Z5 c3 }) C
( ~8 Y0 t& A- x# N mov ax,4fh
! H l* i$ m1 |1 n int 41h, Z# l5 U- e, A6 |
cmp ax, 0F386- j$ M0 S, w& t& Y
jz SoftICE_detected* P c. I/ Z2 k( S" Y t
5 x$ c3 }5 s" z) j5 G
$ G9 k- _' Y7 H; a4 S% L' y9 k% mNext method as well as the following one are 2 examples from Stone's
: q6 A/ m/ q, j' F2 s6 ~"stn-wid.zip" (www.cracking.net):
$ Q* W; ^& ^7 _
1 u# l: C" L( e7 H8 Q mov bx, cs
, J1 b* }$ `# ?* A9 g. j$ [- H lea dx, int41handler2) Z0 W, c! X! X( _. J
xchg dx, es:[41h*4]
6 Y. k, F: A4 Q6 k xchg bx, es:[41h*4+2]/ }$ E6 U( l2 E" i9 g8 \* E a$ j) Z) v
mov ax,4fh3 p6 z8 M/ V* U! g; x' R
int 41h
1 _/ b- i7 z F2 C# Q xchg dx, es:[41h*4]
" |+ b* K% d9 P xchg bx, es:[41h*4+2]
1 W. u+ d- w4 t3 B9 e2 t cmp ax, 0f386h
2 V0 J- I4 K8 h% t1 t0 C; Z& l4 W jz SoftICE_detected
( _4 }' C4 O$ z+ X8 H4 ?1 `/ K) A
* x1 ?! k3 D; i* h) O, S" A3 vint41handler2 PROC
/ _7 k/ B* E( T7 b iret! s0 Q2 A* ?; l I; ?" O$ O6 _
int41handler2 ENDP
& k- g6 d7 _) E. f1 s H1 h4 f. j4 p- Y# L
; _' i0 Z/ C5 o2 U; p_________________________________________________________________________
/ ^. z$ `7 r& m" _8 ` D/ Y3 y7 Z
, |2 k9 R( e9 H3 a! ?Method 065 F( m7 ?) w. l' }
=========
) U) \3 w# t2 j, U0 j2 U+ F! G5 `
1 L2 ?" g- T+ E: Z' ?' a8 Z5 E& U2 J' e6 H! z* ?
2nd method similar to the preceding one but more difficult to detect:
! t& Z3 v& t1 ?7 z
2 M1 T+ q; z9 f$ b# v$ N# Y/ L
int41handler PROC
, B9 E, j( e* V. @$ z. Q mov cl,al1 X4 H0 n" k( c" B
iret* |/ l5 ^& K2 u: u1 Q6 U% O2 k
int41handler ENDP
; S3 F$ A1 P P/ {2 t) k+ S8 \
. G5 F% X+ l. M) A) F
5 {1 \/ g; f1 \- [6 w( ~( ~ xor ax,ax5 O( S) ~% \& }6 N2 C
mov es,ax! y' m$ d5 [9 N9 J& _
mov bx, cs0 M$ j, _' S& t, d
lea dx, int41handler
) G$ U# J0 Q3 _, m6 V& {0 G" z xchg dx, es:[41h*4]
' ]9 }2 Y# d1 c$ `# z( V7 w xchg bx, es:[41h*4+2]
6 v8 H) _( s$ j8 X( o in al, 40h5 M8 z, Y' E9 t+ B2 B
xor cx,cx
8 P: _+ B7 I) G0 B' M7 h2 H int 41h
- N3 ~! n8 N5 c% |; f; B- C6 D xchg dx, es:[41h*4]( U3 R) A- e S5 A' L
xchg bx, es:[41h*4+2]( L0 a4 ]6 v: O) |4 {& A
cmp cl,al' \1 d7 i4 d* Y& w- N( s# L
jnz SoftICE_detected
' Q4 q9 _3 M% G# @2 h7 R' Y/ ^8 Z) N5 x5 }& n) x4 s4 [3 Q3 E
_________________________________________________________________________5 x/ w/ H% D/ i. Q" N8 P
* V( d/ p T$ s. Y M5 |/ L# R/ ?Method 07
! O" w8 s% ?$ C" V) Q8 n Q8 k0 J) f=========
4 r8 }4 |* \, B$ z U7 B5 K: s/ a
Method of detection of the WinICE handler in the int68h (V86)+ c, g# c: }) r
6 |5 _" f4 |# w. n
mov ah,43h
0 \3 a7 U7 ?5 N' i( Z! G int 68h, i& [" H _ ?; U
cmp ax,0F386h
5 Q3 Y* j8 e! Q/ F$ }% @8 E2 D jz SoftICE_Detected
% G$ r& q& N1 S! _, R r; D$ ?8 F0 h4 [
. I, Q2 v8 G/ L0 T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* Z' v- I; E/ A$ }: } app like this:
3 J2 I. l' ?' ]5 k, C; r7 k% J- b9 l6 L. K; D/ J, ~
BPX exec_int if ax==68. v' U7 F' `* E3 [+ P! A9 S3 M' P
(function called is located at byte ptr [ebp+1Dh] and client eip is5 R* r, v+ u$ z7 i
located at [ebp+48h] for 32Bit apps)
# G# z. A) r \+ A& k__________________________________________________________________________& b/ y8 k' U5 X6 D+ v; R
7 t% B$ r1 s( k4 [! E3 c8 E" [
. |9 ^% | L. B/ j0 S. b( I7 E, Q
Method 08 G/ a! q5 F; M1 s: [" C; M
=========
0 d; R( _, B0 `6 n' A6 s6 H9 Q# P( j7 C& _+ ~. d: d% f
It is not a method of detection of SoftICE but a possibility to crash the f/ I3 ~2 y+ D+ f; N! q
system by intercepting int 01h and int 03h and redirecting them to another: u4 y# J% _& K" T! y# R _
routine.) C% | d. x3 W( I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ b7 s, l" x) o* o6 Z% h( V
to the new routine to execute (hangs computer...)
9 o3 z6 [9 L# x' i4 P
/ ^) }3 {, B7 I. U' x" s+ ~, ` mov ah, 25h# q- N2 x5 X, f, H& s$ z8 q2 G* T, B1 E
mov al, Int_Number (01h or 03h)
& m8 |# K2 ~$ s G, P mov dx, offset New_Int_Routine/ p" U* ~5 c. B7 F: Z4 s: R& g8 g
int 21h
3 w" d k3 h- n1 N8 E% s5 a1 _8 d5 k/ A' r. Z% v
__________________________________________________________________________' }0 T! d; g' U! X. y# D8 |
" j* ?4 t- H1 J
Method 09
3 o$ x8 @( ?5 o; {" w=========
0 O3 g" j3 z, K0 s! Z
( z7 _& n& R$ O9 wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. m7 q; O( k9 v; h
performed in ring0 (VxD or a ring3 app using the VxdCall).' V# T, Y& p; v, n' W/ y
The Get_DDB service is used to determine whether or not a VxD is installed
o& T/ ^ Y& }+ X2 _8 pfor the specified device and returns a Device Description Block (in ecx) for! z7 w+ v8 X) L2 ` Y* N
that device if it is installed.- m; o/ t4 G/ V: v4 ^- Y
+ L4 B! S4 g% f& w* m6 u5 |$ Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ B) o5 C* Y4 ?- q) L# [4 S) h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 V: N% {( T& L- O! V, ~ C VMMCall Get_DDB
( @3 t. ^6 z% S7 \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' C' S! Q. s1 c0 f( }' ?" s
; }" l3 X" o. _- ]- R/ u9 ]5 v. jNote as well that you can easily detect this method with SoftICE:* _1 i. B1 a% f; ^5 J: E" C
bpx Get_DDB if ax==0202 || ax==7a5fh
9 u y$ u! d/ Y# M0 s8 l% \$ }/ S! u
__________________________________________________________________________
5 B) \/ C6 K1 `' R7 m, U" M. D( L
Method 10
; O" f1 N& {0 }% p& A=========
' M' @, l0 Y; Q/ p: E* S, E+ a4 L; z X9 W6 s+ n) U. f
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 l" r' {6 b7 m6 ?, P SoftICE while the option is enable!!9 f2 M3 P2 R; Q! i- c9 ^5 c
; t$ g" K" k) l9 P0 Y4 E2 GThis trick is very efficient:6 N# Q9 H' V. R6 A0 z+ e" B* L1 H
by checking the Debug Registers, you can detect if SoftICE is loaded, n% t1 F# O% h5 `) T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. u; ]1 R( ^+ I! w
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 q: P$ M/ C n8 c: d
value (in ring0 only). Values can be manipulated and or changed as well2 j9 o- S; [1 M6 z j
(clearing BPMs for instance)
. ] ?7 J& q) {+ x% {. x/ A% t# ?& [+ }, S! h
__________________________________________________________________________
% P+ H1 l E3 b. U9 H" O
; T9 q7 n3 J" N Y5 h3 k" v& BMethod 11) ]4 P, p& U' s3 S9 ^
=========
1 F( F) j+ g+ n9 B+ N
T& K9 L( n( I: D& iThis method is most known as 'MeltICE' because it has been freely distributed
3 o! s: }( G: i. D+ I- ~via www.winfiles.com. However it was first used by NuMega people to allow, Y' W; E% F+ R* ^- l
Symbol Loader to check if SoftICE was active or not (the code is located N$ j3 m/ Y; E2 H) o
inside nmtrans.dll).- L" J% `6 ^9 D+ q: H
" D& R# ^; m0 Y5 v+ C1 PThe way it works is very simple:
) o7 P M. v( ?2 A' Q# j! }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' a* c1 T/ n X( gWinNT) with the CreateFileA API.
: M/ {$ M; O+ N$ `$ A3 t
7 l" E8 G/ E$ R1 b) n7 B7 Q5 THere is a sample (checking for 'SICE'):
- q% L8 d/ X0 @7 B( u9 [( M: V1 J# _+ |; r9 P
BOOL IsSoftIce95Loaded()
' q5 ^; S2 x$ k6 y1 N' V{
- n: W8 E4 I& e# }8 y: I HANDLE hFile; [" {$ Z7 H; s& ?( F, V5 n% r f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( ~3 o) d: n7 `4 B FILE_SHARE_READ | FILE_SHARE_WRITE,) ^: p& J, ^- i9 K! J8 k5 X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 a1 M# d1 m/ L
if( hFile != INVALID_HANDLE_VALUE )
1 \/ J( h8 G# t/ E, X {
4 T1 {2 A( N5 J; \# c" _ CloseHandle(hFile);8 \6 b6 y% f: K8 H( {7 D0 V. s% o
return TRUE;# y c, I, o8 i/ E
}8 y2 b7 V" N# s
return FALSE;
% S% ^& L. d$ q7 a}; X7 s4 i# ^2 z5 n& V) |+ V" `
3 K6 a8 A5 [% m* s! u) h$ wAlthough this trick calls the CreateFileA function, don't even expect to be3 y6 s& E7 V' l5 i- T
able to intercept it by installing a IFS hook: it will not work, no way!
! X6 p% u* J F. j. |In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& R% V5 d, c2 }6 b, \- _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) Y& [! p I+ S$ @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 ^4 i: R9 S' X6 x2 Y- m" E% }field.
' R3 [" ?, a7 P# E1 GIn fact, its purpose is not to load/unload VxDs but only to send a Z* V" N4 u- P- G, a+ `4 y% Q. b; L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! B( P: i; P! P$ T h7 k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 |% y! [, O, |to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 }6 V" O: f6 N u4 O. Z, V6 z+ o
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ C2 ~3 X5 H/ q+ k B; g% `1 t- ^
its handle to be opened and then, will be detected.2 f4 \8 \4 _' w, M H+ m
You can check that simply by hooking Winice.exe control proc entry point
5 _; L! Q1 F% Gwhile running MeltICE.
" A6 G4 E" z( g9 p& q7 V5 g
7 ~7 C3 M* |+ i4 O I! R
3 \8 n2 s c; v 00401067: push 00402025 ; \\.\SICE
. [8 W! c( l/ g7 N3 E" ~ 0040106C: call CreateFileA% A: T7 P+ L$ B P
00401071: cmp eax,-001
4 g3 Z& N8 V3 ]) T8 F 00401074: je 00401091: I. f1 d8 ]/ e3 B; D
9 R8 g3 L- {: P6 |& ^0 C8 t0 e4 }& p' z3 n
There could be hundreds of BPX you could use to detect this trick.
- n* j9 O% |6 w; {1 V% U/ M-The most classical one is:
+ p: R2 ^4 d/ H" O) q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% f( a' ^$ f+ Q& |; u0 v
*(esp->4+4)=='NTIC'
4 O% Q& w; a6 T6 b$ T" | U% y8 H5 r, E6 x9 g! Y: r8 r& ^) Q- ^5 C8 Z. Z
-The most exotic ones (could be very slooooow :-(+ v; M% w! V7 e% a) F( q0 l( X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . d6 W a( C& }8 T* o8 \, Q; e
;will break 3 times :-(
8 I9 |# \; k, M& j
. M; K3 R# j5 O( Q-or (a bit) faster: % h' \/ w* M9 u& p6 j2 R. {8 U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ j8 x% X$ Y, `0 x% @
3 A4 s1 I6 J- e1 Z8 P6 L BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
r! _& m, H8 l4 V ;will break 3 times :-(
' k9 V" [0 R. o& l/ T. `; R2 {, ~" K, O
-Much faster:
" z2 k. F+ Y# h- w2 O4 P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ ]; E* p; y' @/ f" _5 l
7 N- O2 g1 V, g A% \. K$ W/ ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 w0 Q) x* B; _- _- Z/ O* b
function to do the same job:
( t* g& X/ w# ^0 o9 x9 T0 z9 {9 Z4 p) }8 T( ~0 |) B% {, l
push 00 ; OF_READ8 U( x+ {0 B; C% D! L4 ?9 c+ Q+ U# ]
mov eax,[00656634] ; '\\.\SICE',0
% l8 P' m7 M) ~ push eax
4 j5 c, [/ K8 `0 H2 } call KERNEL32!_lopen
' }3 _7 G% R' C7 B inc eax
: \+ {8 b+ I V* k jnz 00650589 ; detected
- D* w1 Q! B% n! ^/ e. O7 Z& y! b push 00 ; OF_READ! S" ~$ v8 o% W0 B+ M& |
mov eax,[00656638] ; '\\.\SICE'$ s: i6 z; L. ?, b
push eax
K6 U4 \0 L3 g7 x4 ] call KERNEL32!_lopen# n- {+ H$ ]. S$ Z7 v5 F
inc eax0 E* H4 f) `* C( }1 e4 t8 u7 U
jz 006505ae ; not detected
1 r) L2 X1 k" Y* `! B; ?
$ o" a4 f8 _- _8 t
9 K' S2 a, i2 y__________________________________________________________________________/ M; \( B5 k1 R T% i
; R% l0 H9 o. a# ~) |9 ]Method 12( Y: X. ?1 T/ o4 E: X- e
=========
2 W- ]7 h! o6 m+ Z$ w
+ n: o. x- g8 n, N. A cThis trick is similar to int41h/4fh Debugger installation check (code 05
" n8 X: t5 O% N& 06) but very limited because it's only available for Win95/98 (not NT), o T+ i' ~4 b; L j6 C, B) y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) x; c, ]6 j9 ]; w9 \5 m+ _" Z* P8 |; S+ p
push 0000004fh ; function 4fh. S. X& W7 b- ^) I U" [9 Z
push 002a002ah ; high word specifies which VxD (VWIN32)
( f6 j8 Z$ E$ ] ; low word specifies which service
; ]+ `4 t$ e( r4 ~0 e* z6 @+ I (VWIN32_Int41Dispatch)* h0 l% p* [$ ]
call Kernel32!ORD_001 ; VxdCall3 j. R* b, ?6 ~& e1 ]4 G- Z
cmp ax, 0f386h ; magic number returned by system debuggers6 l! ^+ W, g# P7 x. t
jz SoftICE_detected
5 C. L0 P& Y6 w' J% ~6 B
- N% ]% M+ X& u" B/ Y7 q2 a9 | wHere again, several ways to detect it:7 R7 V6 P0 ^2 y2 W0 k
& g' K8 a/ w2 a4 ~1 E
BPINT 41 if ax==4f
/ L3 E! F! R- t
; J0 @! p" R" h* \, K3 l4 E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( X; n5 }( Q7 M! n# i' n5 q
" j1 f: x# c% W# g( x% B, h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# T: W, P* B5 Z
; [' j& J. d J' z2 k BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 l; z3 N5 ?1 }1 }% U. o
- P) c( b5 @0 k
__________________________________________________________________________' Z5 u, z: W# [# [1 y
! o$ A0 F9 {4 a& E6 VMethod 134 C6 e. Z$ P! V5 t5 J
=========0 f5 F, x) k. C; x
/ @9 S' X; V* I& VNot a real method of detection, but a good way to know if SoftICE is/ Z3 L' t* r! X8 u G
installed on a computer and to locate its installation directory.
" O5 O4 n( ~5 RIt is used by few softs which access the following registry keys (usually #2) :2 `( C' N+ G( W, \' X& f
( g! w3 ^, ]+ o8 @! h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- R* e$ ~' F( j9 b8 q
\Uninstall\SoftICE
" g, e+ J# M/ |) I5 p% x& f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, s1 h& m3 z! T0 G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 O m( c P1 ~
\App Paths\Loader32.Exe0 r5 ?5 n2 I: T. K$ n: \
4 D- X0 ]% h" ~ T2 K
/ X! j( M1 h% Z) P5 }# FNote that some nasty apps could then erase all files from SoftICE directory, C4 a; H. P( @. v* L
(I faced that once :-(. _% X# f% A( Y( m7 C1 e
. K1 Q6 ]8 @, f6 l; I# a- pUseful breakpoint to detect it:2 b' y" V/ w, Q. k0 \
4 S% n& I& }9 `9 c# \* y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 I# G% a; v5 o' I' J
4 u F' O; E' u9 W0 S: G' p, F__________________________________________________________________________
+ r9 t) C% q( a' W
- u% \7 A- \9 M- i1 z, @& P/ t2 X! ^$ L; W7 J( M
Method 14 3 h/ G+ S. M: G8 R4 o+ j
=========. U* ]) f! m! w U8 e8 a& c% l
! W- V6 U1 t) A8 |/ K w, @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ a( ^( ?1 R4 P4 a! H7 o2 j
is to determines whether a debugger is running on your system (ring0 only). e- S' x% {& c! J. ?
# J3 E/ H$ [* D [( }0 A; p
VMMCall Test_Debug_Installed
0 |4 `9 j r# E% s+ c je not_installed* v( b5 z5 p9 _) @3 }# K& d1 l5 Y
7 N1 M" \, @! y0 ]
This service just checks a flag.: F1 Z/ H7 K8 t) F# ~7 R) s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡