<TABLE width=500>
/ J& M6 G9 A0 b) _- t0 @& R8 ^<TBODY>8 X; z( ~1 b$ f) z- |6 E
<TR>! T4 [/ E7 B. e: G" Q. C
<TD><PRE>Method 01 8 K& e, r$ u9 |' M8 k/ O
=========
) k8 [, R3 }' Y+ T, N4 h
* p' g/ B" E7 W; M, H1 g `. HThis method of detection of SoftICE (as well as the following one) is
8 V) M0 n- v [6 l- S* M; P1 h* ~8 Tused by the majority of packers/encryptors found on Internet./ g# m( `( v" L: R, S7 W/ x
It seeks the signature of BoundsChecker in SoftICE
5 _' {% b) s; T. n4 V
0 [% ?$ }: S. ]$ O6 ^& A& \- p9 V mov ebp, 04243484Bh ; 'BCHK'
% h, l5 S0 N+ O8 r a1 R mov ax, 04h
' N+ F# o& K% _3 r, R/ O$ {) n int 3 ( d7 x6 n' A2 L" p4 w8 {" `* h
cmp al,4
" m' t3 `$ {4 c8 ~/ X5 U4 ] jnz SoftICE_Detected6 i% M( o% S* x( S
: [* h/ X5 ~$ F6 m5 \' O___________________________________________________________________________
. h5 L9 A2 W, o) p! e- ]/ U' a
5 s8 b! J9 i8 F6 l% ~Method 02
X* M/ G' t6 o' q8 G" s/ i=========
1 R- E: W; ]3 I! B2 b0 z6 T. C! G& X8 q/ }1 Q! S- w# H
Still a method very much used (perhaps the most frequent one). It is used
: [) j- a$ T" \+ q% e% Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' W! H8 e% ^# E+ r6 |8 A9 j
or execute SoftICE commands...
Y- _% L: `' N* m5 G: \ L/ b* bIt is also used to crash SoftICE and to force it to execute any commands
& B& ~( m: q) Q& Q8 s' H6 d: f% k5 ^(HBOOT...) :-(( 1 Y( x4 f* |2 B- G
\# [( @8 Q! s
Here is a quick description:
5 ]: `2 p/ G7 d$ H0 u9 ~$ k0 S* m-AX = 0910h (Display string in SIce windows)
% G4 q1 \7 E" t# W/ P3 v5 s% \-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 i9 z% }4 q/ q: S
-AX = 0912h (Get breakpoint infos)
: V, q% ^1 `/ V-AX = 0913h (Set Sice breakpoints)
# m7 ~% f0 D1 U& N% Y4 }' J7 q-AX = 0914h (Remove SIce breakoints)
' w5 T e" ?& T8 h" c C/ R# w5 v7 D+ W0 V5 ^) ]7 h
Each time you'll meet this trick, you'll see:
4 {6 {2 ~ t+ j, }/ j( W-SI = 4647h2 ?* J8 \4 E* P6 j
-DI = 4A4Dh8 M1 s. ~8 j3 L6 k
Which are the 'magic values' used by SoftIce.) Z& O2 T3 n) A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' u2 n: T4 ^5 h+ v' K7 Q; v" Q% Z# j& I( x' O/ E5 ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 b7 f) N$ x4 I& ?* G0 K0 X% ]; q
Envelope utility use to protect DOS applications:
8 _5 c( G, {4 O' b* s# g
( S: I; W' t" g" i. T6 @) q6 T1 ]1 {% \# @9 q& w2 u6 Q
4C19:0095 MOV AX,0911 ; execute command.
5 h, V( _# s& ?; c/ q4 n9 Z) z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: E; A, o( r7 t1 P/ M4C19:009A MOV SI,4647 ; 1st magic value.
+ J! h( S" x( H. s' N8 {! a% ^4C19:009D MOV DI,4A4D ; 2nd magic value.8 `! C6 v t0 Z4 Y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). b/ b" ]1 m6 X) W d C3 e* k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 h" Q0 M6 G2 l/ g
4C19:00A4 INC CX
, P! _: Z6 M' O! k4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# `( J8 p" |- I: P; h$ j' a. l# H
4C19:00A8 JB 0095 ; 6 different commands.( o8 `1 x3 A, K* }4 X2 S( d0 R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. d# {' a7 V8 j) ]; w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 c& e3 y* r) A3 x2 @* K) h6 `, U
( I* B4 H* \% Z$ ?The program will execute 6 different SIce commands located at ds:dx, which
F- Y* s0 T. K% Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 j, j5 U+ E1 i+ d9 M2 g9 s$ d3 ~, I# G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- i' K, I% i0 b1 y, R___________________________________________________________________________# p2 c `$ b( l$ q* Z
4 o" s& H! o. w' }) R
8 |1 v) d+ X9 n3 _) L) [/ V& K9 tMethod 03" l% _4 g) y! z: w
=========
$ k7 ~, i) C( [" m3 m1 }# @/ ^) w6 _1 f/ M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 M2 K- A, G/ w# P
(API Get entry point); g$ t9 o: e" c- k
4 r8 `8 N+ q9 d1 W6 x6 o
+ i0 V6 ?6 h; }5 L7 L3 {* Z+ j' {
xor di,di' S a2 H* C. U5 ^9 n1 M5 A) r/ L I
mov es,di
; m* o4 J4 t+ t* k0 z$ q mov ax, 1684h
. f5 s; T5 u& r3 _ mov bx, 0202h ; VxD ID of winice
7 V# w" s' M/ h7 A$ x. L int 2Fh
9 _$ r& W. N8 u4 W9 x mov ax, es ; ES:DI -> VxD API entry point" X6 y+ i* ^6 A" R
add ax, di0 X/ s9 j1 T8 c, G* P2 t1 l$ |# i! ]
test ax,ax1 h; w( U. L( d e4 b9 |0 L
jnz SoftICE_Detected i! U4 Z8 D6 Z, d& B8 x: H Y$ A
, ?9 B! f9 c+ Z2 o4 R
___________________________________________________________________________" B p" K' k. ^* @$ q- T
+ s: N3 d. v3 t
Method 04# m) }: G7 ~' P
=========
# i" o( t' B. U- x: g: T/ R) y* J% ?8 O, Q3 B; S2 r
Method identical to the preceding one except that it seeks the ID of SoftICE& Q& Y# H& \( Q2 L
GFX VxD.
5 q( N. w1 p1 r0 I
$ ?( I3 o$ V9 ]9 U: h; l; i! ]$ G' A xor di,di! k7 N) E5 M" M1 v+ G' D8 s) I
mov es,di
3 d0 P- X. v* G mov ax, 1684h
7 e+ s3 o" \2 W8 B* T+ n- q) f mov bx, 7a5Fh ; VxD ID of SIWVID
$ K% Z% W% K* T* q; x" G8 a int 2fh! X. R' Q7 S* b5 p+ o; W
mov ax, es ; ES:DI -> VxD API entry point2 D+ C' ^! b4 z3 Q# [3 K+ ? M
add ax, di
! k+ N2 H. {; l! y8 c _* J2 f test ax,ax
8 Q. k; V0 N6 C! L5 @9 l jnz SoftICE_Detected
7 ~+ G0 M) Y* A" H! y! U: G m, r, D$ h
__________________________________________________________________________2 f9 [3 S; H5 h2 [# v' l: `4 j
; n6 O+ q" ?) r& \/ E/ Z- J: L; U2 w: w
Method 05; b0 O! L! h6 N* g k! O, d8 \0 w
=========
" e* }5 m Y8 R0 y
. C U D! P* s5 u+ KMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ \9 v9 t- \) B: ]" Odebugger. It calls the int 41h, function 4Fh.& ~( _& V v' X' [4 O0 T* V
There are several alternatives.
F, n8 z; K2 g: V. E6 i/ H/ c
' A& z/ ~2 X& w" U2 G6 c8 G0 mThe following one is the simplest:
) c3 U0 Y, w0 b' k/ w: R
, T& |' A% O9 s+ O8 e mov ax,4fh! K0 a& L/ L+ B
int 41h$ Q2 D/ a, E0 H6 H ]
cmp ax, 0F386, d9 R9 J4 @2 Y- S5 O8 c0 \3 J( @
jz SoftICE_detected0 G ~7 V3 ~& k# l/ ?
3 s0 @: I! l8 ^. _
# g: Q( O9 C/ oNext method as well as the following one are 2 examples from Stone's . L# Z# c x3 W1 p" c
"stn-wid.zip" (www.cracking.net):
& Q. ]9 S+ p) W! t3 O2 S' ~
: N; t" i4 \7 {: s( T* t6 t mov bx, cs4 L. V+ o8 c4 X- ]& ~
lea dx, int41handler2
' G& o) s/ M8 L' A% f xchg dx, es:[41h*4]( ^& v: C) r, P+ r c, M: I: g' p
xchg bx, es:[41h*4+2]
# c* v. Q' P5 T/ u9 j+ {% l V mov ax,4fh
& H2 w2 m9 _! U4 v* ]9 p int 41h
8 \6 h# [. g9 U5 [6 `6 r3 ] xchg dx, es:[41h*4]
5 Z8 L. t2 l4 E1 r xchg bx, es:[41h*4+2]! N2 [5 C3 S# [2 e
cmp ax, 0f386h
{8 l q4 X) C( s: A jz SoftICE_detected5 R' p" ]7 j& ^; U t; Z
+ X' b( C7 G D3 k V! o) e* a
int41handler2 PROC R$ f0 H! ]* l
iret
8 z) j% w/ L1 l }5 ~/ I4 v% E3 Y4 Wint41handler2 ENDP
; y5 @9 i) d" y2 ?& G! G1 S, Y- C0 c# C0 J1 ?7 D8 i& l
8 l; a) z4 t! m4 L U' @9 H_________________________________________________________________________
' g& K/ _" H1 q8 \+ n
; m8 K* w) ]2 `. u/ z9 V( \
% J. z* J! D: H" g% F5 vMethod 06
3 W5 E% ~5 F( y. c, P* J; [=========5 ^. \0 v- W+ _$ H- _) P6 [
* j4 P( m5 c) `1 T# F& x
; }/ T9 c% T: S) A+ f; L. S( ?6 j2nd method similar to the preceding one but more difficult to detect:
4 r- g; u0 F+ F* H# r2 c; i# G! _( o) t
3 P/ ^8 [; C2 Dint41handler PROC
' n ~5 u, F [4 l" H4 g d mov cl,al
* f! }& z, [7 d( Y" t iret8 J1 k8 b; Z( L( `- R$ A# L" g" l
int41handler ENDP
# b5 K( s( J+ {( ~6 `0 C; ?4 G3 }) _! g$ {
- V. h; W& B7 w
xor ax,ax
: k. g$ \4 b- B6 X8 B% t0 ~ mov es,ax
9 ~$ C1 Z. i+ }3 m4 g% z/ N mov bx, cs7 e+ c+ O) I h; B
lea dx, int41handler$ W q4 v. k* u+ ^
xchg dx, es:[41h*4]& C1 j$ a6 Z: H# O
xchg bx, es:[41h*4+2]
L$ }: t& C0 h9 a9 n. j in al, 40h
0 E* K. [0 j7 V xor cx,cx
3 a- x0 E% \/ N# Z+ j. i int 41h9 D, @* B5 ]# O3 }- A' E3 U
xchg dx, es:[41h*4]- _# P( ^/ U% s9 t1 }
xchg bx, es:[41h*4+2]
! q9 Y+ c: ]: T% M7 ~7 Q cmp cl,al
5 v# r9 ?# g& @ jnz SoftICE_detected
, g) @3 I9 Z/ e
! {+ p u7 B$ L: [9 F8 }# `_________________________________________________________________________
& e9 @: j( U2 m
" m( P5 i$ D7 f4 Y; f+ H" n5 BMethod 07. k @ Y6 m' }3 n* Y( L. U7 c0 G
=========
, ?" `( o, R* P4 A
, |: K3 h- L5 mMethod of detection of the WinICE handler in the int68h (V86)
4 k- p7 i9 H! ]4 S4 c) _) r5 g( i0 ?! q+ y
mov ah,43h( J( s8 P% z2 p+ T8 ]9 }, _" e
int 68h' Y- p l& e$ |' D, f
cmp ax,0F386h: q1 v& d( _6 X) ~! V# a
jz SoftICE_Detected$ s- J3 m; H8 _" e" Q
3 ~ A8 u a& Z# [; _: r6 `* S2 Y
$ \1 t5 m% v* ?. f: h7 Y/ Q4 |
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 K7 ^( i; @, X9 }
app like this:
; A# N# d/ x" y6 c7 \* Y: r4 w$ a- @2 o) Y
BPX exec_int if ax==68
* N1 \/ b9 N% e+ U (function called is located at byte ptr [ebp+1Dh] and client eip is
4 g- ?; {! K8 n6 r; s0 k located at [ebp+48h] for 32Bit apps)
$ t5 v. D( T# R( l' M$ u9 t__________________________________________________________________________
; T g N7 `+ R, y8 H7 ?
0 R: C+ X. Z; ]2 h; [
4 z" D7 X: @* h& bMethod 08. ?# T6 M5 {% i7 {8 Q* I
=========3 T% B. [6 P4 m( q' Q
: \, L0 I+ ]' P
It is not a method of detection of SoftICE but a possibility to crash the
! K* s7 }9 E4 v" M2 N# fsystem by intercepting int 01h and int 03h and redirecting them to another
% p3 W! u. O1 b2 e1 Kroutine.
9 T+ x U+ y* o iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" w0 F" ^; f& g' L O- o0 w. u4 C
to the new routine to execute (hangs computer...)4 T7 X5 u' z. w: [( V# x1 {
& [3 r2 J5 \) l9 X) o% v
mov ah, 25h) j0 v- H/ R+ y+ Y0 |% \
mov al, Int_Number (01h or 03h)
, Z0 O* b2 _/ {* {2 [ mov dx, offset New_Int_Routine
0 w" M' L) t& L, z int 21h9 n0 C8 P. @7 \ U+ R0 s; J, j
$ W! H0 M/ c( g4 V
__________________________________________________________________________/ D W- i5 J7 O9 f. D
% @7 M$ i5 y6 q
Method 09
; Q1 c. z9 v& s* D9 L9 e% |: R0 F=========
! A9 A( u6 u6 e# r
/ h+ s. f/ n8 p% e2 y) c$ P+ [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 O, U" Y# j1 r
performed in ring0 (VxD or a ring3 app using the VxdCall)./ n; q$ {" u8 ~! o- {, U
The Get_DDB service is used to determine whether or not a VxD is installed
% f( O) ?* P' y0 s. O1 jfor the specified device and returns a Device Description Block (in ecx) for4 s" k" J' O- `' r% M
that device if it is installed.6 K2 O% B# G8 }/ c" w
/ n: P8 P6 o6 J A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 J" \3 T+ f+ Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ l$ {! {# `/ D+ L VMMCall Get_DDB
! U) g- H9 v0 l- u1 Z W V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; X& T# |& t8 ~9 D
- |% Z3 N0 ^6 O8 v& u4 i J" J% _Note as well that you can easily detect this method with SoftICE:
8 Y k+ d* Q9 f0 c9 B8 T bpx Get_DDB if ax==0202 || ax==7a5fh' t4 j& L9 Y4 [4 P3 i
/ y6 x- \3 Y9 z- i4 }; z" b__________________________________________________________________________) A) ^+ y7 N' r, N$ M
3 e& l; [* J7 f7 a6 j( X6 Q
Method 10
$ y, _# w0 H7 e3 E; |=========
; U' Y* \- h% y6 G/ J* X' i* Y! V/ |; _! Q9 d! E
=>Disable or clear breakpoints before using this feature. DO NOT trace with* G3 Z4 i% M4 N, q
SoftICE while the option is enable!!3 w/ K1 S* s1 a$ o# X
9 M% s4 B9 s6 B7 C# B1 l9 x- R
This trick is very efficient:) E7 b$ |% e) O' n7 Z
by checking the Debug Registers, you can detect if SoftICE is loaded
) C1 ]: L* M; U K# V& a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; P3 s2 E. @) Z# l! H$ Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 j; d4 J) _4 O; @
value (in ring0 only). Values can be manipulated and or changed as well4 {; c% X! x/ Q6 ], r
(clearing BPMs for instance)8 ^6 a) c/ r2 p7 m" ~# q. c
$ T0 Q8 C+ o9 |# W
__________________________________________________________________________! C; X2 ~( G/ {; E# @; D4 I
2 @( t7 y x5 v+ v* O9 Q
Method 11
: t* M. n9 E. C=========" K7 I! b/ r3 O4 h
5 ?! G4 R# w, B& o8 y: U# q- w! K
This method is most known as 'MeltICE' because it has been freely distributed+ `% U3 X$ q( j' @- m
via www.winfiles.com. However it was first used by NuMega people to allow* [1 I3 F/ F2 G
Symbol Loader to check if SoftICE was active or not (the code is located
$ |; x1 L: U) h5 Zinside nmtrans.dll).
, r0 Q4 }* f) e1 t8 d! s# [5 N- q3 ^$ ~& D- v% W
The way it works is very simple:
5 v) r/ h5 F7 WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; [, V9 ?0 v' r- a# I* e j- c
WinNT) with the CreateFileA API.
) j L3 L8 t' M4 H \% i* j- J- f; A3 `
Here is a sample (checking for 'SICE'):+ t) b( E! {* p
7 T9 d8 |2 P5 A4 ?/ b( bBOOL IsSoftIce95Loaded(), S9 K3 G7 m& }0 V9 J
{+ y- x) X: H. O f Y; Z9 d
HANDLE hFile; 6 a" } j3 W& Q, t2 `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( n4 _3 |& M2 d3 b* O/ u
FILE_SHARE_READ | FILE_SHARE_WRITE,' m/ s% v) A& C- P# J# I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, M: L: V" J" D; R if( hFile != INVALID_HANDLE_VALUE )
& M i$ j( z) j+ e: A {, i! Q' K* ]0 r* q
CloseHandle(hFile);
& p9 ^7 H7 d% }* `( i- V return TRUE; p- y) {! H% c0 j
}
0 _- }. z4 k8 y$ i- r9 L return FALSE;
* ? s7 h1 }% v: Z9 j}# Q4 \' u" N" W& z" K
7 T6 ~9 ]. z" K n
Although this trick calls the CreateFileA function, don't even expect to be& P# Q# N: F- ^$ _
able to intercept it by installing a IFS hook: it will not work, no way!8 @7 B: G* h! _/ m+ |- D* ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" A2 [- A- n1 o$ {- F+ q6 s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) M) n) g9 M* C3 qand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ c; Y/ m3 D4 A$ U- Z% ?
field.& E7 S/ C! O) y. Q) m9 H8 T
In fact, its purpose is not to load/unload VxDs but only to send a 0 e/ s0 I% K3 C! f2 c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. D. a+ Z) A. A8 Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
?* S; o: x0 X! pto load/unload a non-dynamically loadable driver such as SoftICE ;-).; m& U9 Z! h+ s! S B- F1 l
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 ~8 O: Z5 X5 K9 O( D- p3 [3 d7 X7 N1 r' qits handle to be opened and then, will be detected.# m. D% @7 Y/ r' b& C' `4 }4 a
You can check that simply by hooking Winice.exe control proc entry point
/ D. S7 K# N; j9 \1 _5 a* V) {while running MeltICE.
7 C% U8 q: z1 n/ D7 h2 E; ^
. R. G0 L" Y/ U4 f0 ^2 K% h4 E. f3 J/ O9 l$ K& A
00401067: push 00402025 ; \\.\SICE. B- g; t+ {* {7 ~9 B8 f0 O
0040106C: call CreateFileA
! [1 {* e$ @3 T# p; E 00401071: cmp eax,-001
, k7 u: H; k7 ^- w: e 00401074: je 00401091
$ @ L4 X8 K. K X: F# a' D8 ?1 K8 O2 [% v/ K9 }
: e8 W# B5 i7 |( `" n0 W4 ~There could be hundreds of BPX you could use to detect this trick.- o& [ }- m5 x! X# P1 S4 o1 Y
-The most classical one is:
5 V8 m1 `% q% B4 V% C& h8 ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- d0 B% f4 ~# b0 R! R5 Y+ d *(esp->4+4)=='NTIC'
3 @* L% N6 s$ t9 p% w- W5 X# t
5 V' t M2 b# F8 _$ i7 ~4 M-The most exotic ones (could be very slooooow :-(6 G0 t, G0 }+ q( H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) X' v2 s& Y( x& {, w
;will break 3 times :-(. z6 q! S% d# g( ^+ y w2 }
3 I% K/ a w' R' `% e-or (a bit) faster: 0 }7 N2 s( Y( b2 Y. Y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# G' Q1 D: W2 w/ _5 E, P4 t
5 Y" r. p* }' a BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' Z; v0 E; F; v: Z1 o
;will break 3 times :-(
) c& R1 A4 k0 |8 _/ e% \
: b0 m& c& b1 k1 a/ g7 M-Much faster:. g& j. W2 s& O4 k V: r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 G& h2 L$ C5 ^( g0 A% l; c) J2 ?7 y$ ?5 m: P1 k) U8 v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 o: }" O- b& j" l9 U# @& G; J R) J
function to do the same job:; H M, d/ y) y& W C! t# J
+ m& E9 D$ O5 v# C( v# u8 u, \. | push 00 ; OF_READ% R$ C" |+ D; I# ?
mov eax,[00656634] ; '\\.\SICE',0
, e! X! c% W+ k! E( j6 H) h4 z push eax
% h% O% c/ C" j: M7 q; e call KERNEL32!_lopen
! {4 S& c$ H% ]3 L7 Z5 c" N inc eax1 ]2 d+ F" }8 ~& d( b: i
jnz 00650589 ; detected5 c3 S" C7 a2 A. _' B
push 00 ; OF_READ
$ ]+ L+ F4 _' ]' W- h mov eax,[00656638] ; '\\.\SICE'# d+ T* S( _4 l1 ^/ t
push eax
0 X* q+ U7 c- ?- u: Q! N call KERNEL32!_lopen) x' y+ K( T+ g! v
inc eax
& _& Z: }: J0 i jz 006505ae ; not detected4 {. d5 R: y5 q h( p/ t3 Y
h- {5 T5 y# O
) N9 W9 Y. \0 E5 t: O__________________________________________________________________________
8 N; m1 X8 g) q) b D% i) z
$ Z4 O: | B" Y( ]# K, LMethod 12
3 A/ |+ D6 ] h+ n: o5 y- ~- V0 J" f=========: q+ ?# ] b0 F% x( l, e
6 _) `- F9 \( \
This trick is similar to int41h/4fh Debugger installation check (code 057 H5 A+ p# j7 o+ k
& 06) but very limited because it's only available for Win95/98 (not NT)
' {- H' H' g; Q( I, Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- n7 g6 t* u5 ^( W
0 f! |+ f6 X/ A# t! G+ M [! F push 0000004fh ; function 4fh
4 j( t9 G2 _( O1 r push 002a002ah ; high word specifies which VxD (VWIN32)+ G) C J2 o9 r, Q m5 F1 R5 z
; low word specifies which service1 Z* A0 E9 i4 u
(VWIN32_Int41Dispatch)
: W5 F5 ^4 M+ [6 @. {& R call Kernel32!ORD_001 ; VxdCall( a; [1 V3 I+ z) s- [. S
cmp ax, 0f386h ; magic number returned by system debuggers
, \7 I0 `) |5 Z) x: J jz SoftICE_detected
, @7 D- O* K1 ]' ?1 z- H
) b' D& @2 i" }/ N+ D1 w2 fHere again, several ways to detect it:) ^; P$ i( K4 ^+ h0 e
$ [: N; U% D- U' h7 c) u
BPINT 41 if ax==4f
' _ _. K; K, a' K: v4 \. v0 T( V5 O; R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ m& o x; T) J7 G* i" P) @( f" S H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 X0 w( }8 L& N* L& G, n: X
! E. i4 J1 x( g9 M4 S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) I/ i7 p( j( M( `" Y
1 p3 ?. [! E: b__________________________________________________________________________- {/ u7 ~* x8 T5 c. Y* u3 @
4 W6 v. B5 K" l! x0 N+ ~' @8 `. |Method 13
& {# B! v2 s* m0 ?0 k. t( [$ m=========
! g9 r6 q" L3 w; p, A$ W5 X+ n6 p- i# M8 Z
Not a real method of detection, but a good way to know if SoftICE is
$ a# {, ]4 A4 Vinstalled on a computer and to locate its installation directory.
+ d7 @* o# B6 U* G. n4 {2 eIt is used by few softs which access the following registry keys (usually #2) :
" P$ ]3 l) p! w: P+ b8 |$ Q y( R! b* `2 |5 A% U( Y: y' y% g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. ~7 s& x3 O- l' q\Uninstall\SoftICE
( I8 o T. i0 U! b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) s( S1 ?( M. d! G* q: g x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& F/ ]! q9 n" u( _& s! F/ P( |
\App Paths\Loader32.Exe5 w, R) Z- j& g& T
; j3 G$ ?) U3 C
7 t4 A% l9 i5 N( [Note that some nasty apps could then erase all files from SoftICE directory
# q& p& q' Y$ e$ p. ^( c7 |4 b) M(I faced that once :-(
; h+ N ^, c: ~" v" g, u) ?2 M5 M, n8 l
, d4 j! b, T; V# `6 x3 w% }Useful breakpoint to detect it:- v m- }3 j o2 r8 u( _5 x! i
" Y2 l' E! q" }9 s- _7 _- M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# X3 F( r, T- G1 d* c; |+ B
: j7 Y3 n j* a) A+ A$ f__________________________________________________________________________
/ n- ^$ {# X. x3 {% p3 m, d5 |( H) L
N7 V+ M: Y8 Y& `6 D9 j/ y
Method 14
1 n- A! V4 z0 \+ J=========5 M2 s; M, d( P9 e5 z8 ~
- U$ V/ e. d( Q9 PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( U; e: v5 @' s0 n
is to determines whether a debugger is running on your system (ring0 only)./ C! d0 m1 z5 h
, a" k7 p; n8 y i( Q
VMMCall Test_Debug_Installed3 o0 u) Q) m7 x G, {& V
je not_installed
4 |8 v1 a% K! |! s- x X, D
7 ]2 m9 u0 x5 b% b8 lThis service just checks a flag.# ]7 X/ k5 C! R* l- v5 Q! e
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡