<TABLE width=500>
6 O; X1 g2 l1 f" e<TBODY>
|$ L; r+ c! V<TR>
& `' g. ~4 T2 g3 V3 ~9 Y. ?) \<TD><PRE>Method 01
" M, ]. V% X1 x; A=========! N8 V+ i# N9 o7 w
0 L7 O4 t% b3 y. w1 X Q. i- P
This method of detection of SoftICE (as well as the following one) is
! B- A g1 a2 Y% d. L; L8 A- A2 @' K. ^used by the majority of packers/encryptors found on Internet./ g3 ^+ f: F9 x, r1 j+ m. c% M
It seeks the signature of BoundsChecker in SoftICE
* `0 i0 m; x9 Q Q* g( q! T1 J" `8 q% p, y5 A& B6 K
mov ebp, 04243484Bh ; 'BCHK'
( e9 j# @* @$ z mov ax, 04h; m' j' i) N7 s# h* `* H8 _
int 3 - M* @7 N( @* D" z, d: v/ }! x& n
cmp al,4' c" P! X ]# f" w- p2 q) Z# y
jnz SoftICE_Detected
/ s$ t# ~/ ~2 O) u
9 H0 r1 ?9 }( l H! f" U, M$ l( O___________________________________________________________________________
" |6 L8 v3 r4 i& G" L
3 s* |3 D v6 P$ D- fMethod 02. V' q% ~' W- k. b: c4 b& h. `
=========
, t( [7 z8 M3 Q, b1 e
4 e1 z* {) e# z" C, bStill a method very much used (perhaps the most frequent one). It is used/ A' N4 t& \; f* [# e" d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. w F3 o* P* ^) ~3 i. Y
or execute SoftICE commands...
" n q( N5 t+ d U; |/ W, nIt is also used to crash SoftICE and to force it to execute any commands
: K/ C" c. I5 x+ l$ E(HBOOT...) :-((
% ]% ]+ r* N) d- P( |3 Z4 j" k" j- S7 C7 M2 l% E
Here is a quick description:1 D- S5 x. R% t" i0 P
-AX = 0910h (Display string in SIce windows)
( t1 N3 h& Y3 R1 |$ i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* Y. v2 D) z; w
-AX = 0912h (Get breakpoint infos)2 b& f |6 v+ M0 N, ?
-AX = 0913h (Set Sice breakpoints)+ ~/ S% K: |) x% x* |. E4 a
-AX = 0914h (Remove SIce breakoints)
# X7 e" P u P4 d+ o
: r; W" ^ M& @* v8 `" R8 n8 yEach time you'll meet this trick, you'll see:
8 a9 r7 I$ U, L8 l3 y/ X% ]-SI = 4647h0 P! k, h% d& F! b% D5 V L7 w* n/ u" C
-DI = 4A4Dh" w5 R5 f3 u- R' s, Y; @9 \3 J7 ?
Which are the 'magic values' used by SoftIce.$ y. P( p0 P) L; L0 N$ f8 C1 S/ v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. q" j' S! x* Q t" P
2 `6 g3 a) I" LHere is one example from the file "Haspinst.exe" which is the dongle HASP: _) Y: d4 d0 ?1 M9 b! Y' y! l: j/ S8 A
Envelope utility use to protect DOS applications:9 c+ G6 z4 Z5 }; e ^ |) `: G
& P/ s. B8 x3 G4 J0 _" }- L; a- v( x
4C19:0095 MOV AX,0911 ; execute command.
. e# I; b. g; m4 g& t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' J+ @) J( m2 C# u2 ~4C19:009A MOV SI,4647 ; 1st magic value.* }& s0 Z5 t; L8 f
4C19:009D MOV DI,4A4D ; 2nd magic value.( ~9 E- a; _# K8 ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) R; U& f$ H2 W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ U+ C/ [& t, x
4C19:00A4 INC CX
, k/ _: u0 d i4 m; V4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 L8 H% k% W1 l) ?7 l
4C19:00A8 JB 0095 ; 6 different commands.
1 [9 D* G" r" z) d( e9 M# F m8 W) \4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* T' D/ t3 U% a2 o) i3 m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ }. x9 w4 U2 i- n
/ \4 W$ t1 G% y6 s8 mThe program will execute 6 different SIce commands located at ds:dx, which
: S0 T% I5 s! D! y" E$ hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 x, J x( ]- K$ K& L- G2 Y) x/ z3 C* w3 u0 o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" I7 K3 w1 C3 u. ^. M___________________________________________________________________________
9 v, y, y' z# O( k
1 Y9 f4 p& \ i( p6 a0 F( |9 j& Z$ r7 |4 U5 B; F3 E
Method 036 I, v+ E [' z9 {6 M
=========/ R% C5 z+ x6 s2 d9 b V
& n/ \/ c. t+ B" f5 Z( }$ _Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 g5 P6 d# g! ^" y; ~: G2 B+ ~(API Get entry point)
6 T. ?6 w8 } r( o
- X0 R% U/ j1 B% _& k0 E0 ^5 O' ^' k& M
xor di,di
# S/ q; D* x% D0 z2 K& P8 C* } mov es,di l- m6 ^0 s j$ Q- Z, z7 |
mov ax, 1684h / S5 h% n& V% o8 R! N+ z
mov bx, 0202h ; VxD ID of winice4 j6 K+ R, o7 ~6 N( Y9 ^
int 2Fh6 e! e: ^2 L0 i0 [5 S. c
mov ax, es ; ES:DI -> VxD API entry point; ]1 U: Q) O# {, [
add ax, di* l" B( L8 [6 e
test ax,ax% s }9 J' l9 k K6 u9 z0 ~
jnz SoftICE_Detected
" l9 e+ c6 n$ ]
3 W/ N, v6 C) v, R6 j5 i( A3 p___________________________________________________________________________% j- c: ]& X+ F6 A# J! n
# j H: t% `7 s) n2 {1 P# yMethod 047 Y' Z( @! ^ q2 d
=========2 X6 ^. z' {: K+ Q, [
0 ]5 u# f# u3 \6 M0 f6 J' ?Method identical to the preceding one except that it seeks the ID of SoftICE8 s4 i0 l. ^" l4 m& B0 H
GFX VxD.
: L4 z. D2 }8 G) g
8 M( Q, t- I3 A; Z# D/ J$ u xor di,di
* i: m- s$ l X6 q# U s mov es,di
0 R- E5 H @' [, ^* P mov ax, 1684h
- L( [, j2 h& Q7 a8 U mov bx, 7a5Fh ; VxD ID of SIWVID0 J0 P+ z# v2 C
int 2fh
2 c& k- r; V1 H) c5 T( |; X6 i mov ax, es ; ES:DI -> VxD API entry point
5 }6 F$ R1 ^; n% O+ Z; j' p' n add ax, di ?, J" b" [8 ~' ^5 H
test ax,ax/ b, _" p& j9 x8 M4 K
jnz SoftICE_Detected
' G6 M3 a0 z1 \1 ]5 {6 e$ F
/ g7 V9 Y; G$ B) q% C5 t+ v3 E( C__________________________________________________________________________
) Y/ U! a# ` y- F& J c2 O& k) K- L |3 _7 R
% |" ^# c1 Q h: V2 t2 Q
Method 05
. k, A3 b) b+ P- T9 I, A3 g3 O=========4 Z2 a* Q5 ?4 e* b, z
5 u- B3 l/ P/ ~- {Method seeking the 'magic number' 0F386h returned (in ax) by all system5 `4 l3 d J' C& f3 Q L k- `
debugger. It calls the int 41h, function 4Fh.4 p/ k& I8 k) T( Z G/ J9 y
There are several alternatives. + \; D" j# I; e0 Z
! J0 }4 i+ ~ y N( Y7 N, W
The following one is the simplest:3 O$ Q9 x$ o/ n' U3 w- ]
9 {3 L$ v( B) A' m+ c# ~9 A+ E6 a% @ mov ax,4fh
4 Q6 t& O' k% P o; ? int 41h' G/ k& I. q# [! p) y/ }5 | i
cmp ax, 0F386& A6 ?6 O. ^* X/ y5 M: I$ t4 E% I4 h
jz SoftICE_detected F- S$ Q8 D9 X- x5 _6 E/ j
! Q6 Y' i# D+ f1 r E4 v) n/ R8 m) D! X; X. ^- o; Z( g @0 b
Next method as well as the following one are 2 examples from Stone's : U3 [- v5 @& x4 `: i/ v9 r2 N
"stn-wid.zip" (www.cracking.net):
6 `; t* d2 i; _# F* c! g! V: E4 c3 [
mov bx, cs. G: O8 x" R3 p, ~7 A
lea dx, int41handler2
. X9 E9 ?% b" k0 ?/ j& b* {) B/ {& P0 n xchg dx, es:[41h*4]5 r. d3 I! p/ }0 d6 D
xchg bx, es:[41h*4+2]+ |! ^2 j6 s- @# Q
mov ax,4fh
, U' `& l' J# |# x D" Y4 [) p T int 41h
! O6 A- ]( G! a( E- ]# _ g. j xchg dx, es:[41h*4]
7 h6 ~! s7 @: {2 s xchg bx, es:[41h*4+2]1 L' W# x5 x- z- S
cmp ax, 0f386h
( Y3 p0 r$ Z: k$ K3 [( S jz SoftICE_detected4 `) C+ T8 ?8 k2 u7 @
# s" ^1 Z! w( {$ I" W/ S
int41handler2 PROC
0 U5 y' [0 K0 o* N6 A( S iret
! `' ]# L" k* k' _( {int41handler2 ENDP+ c$ Z# @, z1 K% Q* M+ [; h
6 s+ v6 T5 P% V" T! t, S0 {# @4 S, f4 [% t+ R; _3 r3 X% ?' g4 o. T
_________________________________________________________________________. p* d( h5 Z' O! k6 j
& M3 h- @8 F5 i. S6 |
( W; q/ b! d$ P, I" \/ LMethod 06& i" f8 P! ]7 w" O
=========8 n% p( b% f& X0 u; {( l
9 g9 @1 r3 P% J. u M- ?
$ Y, y6 S2 v8 W% w2nd method similar to the preceding one but more difficult to detect:
7 k, l& v! x, Q$ I7 _0 W8 i2 S) s. ~% _# x1 j
+ I1 z% m- S6 Y+ ]5 l1 Q1 Sint41handler PROC
. A7 C( O3 T; y" b/ t0 c" _ mov cl,al: \- T0 q. x7 {5 R) z
iret
i0 o0 g; ]- d/ fint41handler ENDP
% t6 b- C( H/ N4 R7 |- B S5 T' H/ D' x" C# U
0 Q: L2 e( E& f
xor ax,ax
# H" b( K8 s \. e; G- T: p' V mov es,ax
; K4 {3 a; {6 l% w" W, ]1 W0 V" b mov bx, cs3 H2 ~6 v) Q! J( L# z4 L" t
lea dx, int41handler
; c; F( {, \( G# L! S6 t4 g xchg dx, es:[41h*4]
( j& N4 _1 A. i" W, b xchg bx, es:[41h*4+2] q7 S' O! l) B6 n6 y- ?
in al, 40h
* z; j( T m$ o+ R3 W2 K' { xor cx,cx
: }6 T, N! K, V* A1 ?8 z; J8 b6 c int 41h0 m$ N: ?8 E. p- y" n
xchg dx, es:[41h*4]
* g0 j" P5 P2 A( C% f0 C xchg bx, es:[41h*4+2]% F" l' u: n! C# u3 j4 e9 {
cmp cl,al
4 z; K! d( o) t& } jnz SoftICE_detected. Q1 D( [; t( I& [% ~. s- ^
5 e& [ }; Z$ }- P_________________________________________________________________________+ h! A5 n+ ]0 n+ z% e0 B2 r
Y5 c( U* N! b" r, g8 L- W
Method 07$ | H. w( J* n& D. r8 U% o
=========9 E/ L2 l1 [: T+ O/ H- D8 h. v
4 G8 b7 I; a3 w6 h8 zMethod of detection of the WinICE handler in the int68h (V86)
5 t) C; L" {) Z8 |9 T- J2 f, o
/ e- R* J0 U2 {6 `- ~ mov ah,43h9 u# g3 r0 |' d
int 68h
c6 ]. q2 M: s# W6 x4 E8 Z6 V cmp ax,0F386h
% u$ M& W: E' R% M jz SoftICE_Detected4 X7 F. z; U* C& H+ I
7 {! a" E0 p% W! |3 ~3 Y, e6 H8 u4 N+ N; G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 W- x t1 [5 C' A9 B
app like this:# x) j5 }* [4 T7 E. Z2 C- m
& E4 ^9 P7 ^" ]- h BPX exec_int if ax==683 G3 Q8 n: V: n: T) p/ l3 z% |4 x
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 i% g* [6 M7 L( Q/ s( S* b located at [ebp+48h] for 32Bit apps)
4 _% e/ p6 s, b; U! w' {+ T* u) h5 s__________________________________________________________________________1 w8 L9 r, H1 w% X/ f8 P
, j! B0 X- a7 R- u! ^$ q
; i/ w/ _, ^( y9 IMethod 08$ h" W5 r. r7 R4 U5 B+ N; e0 p5 Z
=========
* ~" |; m/ |) T; j8 f; b8 E. l% W, X* I0 K8 ]
It is not a method of detection of SoftICE but a possibility to crash the6 r$ c/ T& {' [7 `3 F, Z
system by intercepting int 01h and int 03h and redirecting them to another: ^0 W( q7 A8 X+ [0 q6 }# q; {' X
routine.
( j d2 T y4 u4 vIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 y+ ]' l, D" \& J- o: H7 mto the new routine to execute (hangs computer...), p$ M$ u- W1 D; F, y
8 z$ R$ C0 ~2 x9 Y+ O mov ah, 25h
: U% @8 K) t8 {$ ] mov al, Int_Number (01h or 03h)8 t) c' f* q; b0 S) R, @
mov dx, offset New_Int_Routine
- w( F% m0 |) d( ]( X int 21h8 p) S2 n# D) i) C: I( B
$ ^; ?) q" c8 ?
__________________________________________________________________________, U) u2 ^. H, N4 `1 [% a7 V2 d
! v4 l4 M L$ G# Q! p d" x
Method 09& j' F, g6 d3 ^; @; n
=========
& k& \2 ^* p9 w/ i. x, ?0 s3 P1 H$ M* k W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 f4 S9 l. P1 ^0 C% wperformed in ring0 (VxD or a ring3 app using the VxdCall)., Q2 `. p4 m- [/ g2 }
The Get_DDB service is used to determine whether or not a VxD is installed- ~) `' }; G: r! o
for the specified device and returns a Device Description Block (in ecx) for6 z# T; s/ G2 Q
that device if it is installed.0 _" w7 [/ p ^' S4 J) f
% c4 m4 s3 q; X; d0 L9 L. x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 E# h q @% N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ G! t- c# K, O" h( Y9 B* v VMMCall Get_DDB$ {$ |4 O1 X1 F; w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, o, w" H; g6 b# g( u$ [. e
7 C5 j$ q+ c8 `8 ?9 e% {- p9 O( fNote as well that you can easily detect this method with SoftICE:
1 h3 |! S) z* p+ q; S bpx Get_DDB if ax==0202 || ax==7a5fh
0 x2 N# K/ l8 D% s0 Q' `+ y0 K. ]' u4 e- `* h
__________________________________________________________________________
0 E6 ]4 H1 U. P1 O$ c4 } T" b- m
l# {7 }* [% B: HMethod 10
n. a) I2 `2 N3 b$ Q=========% L6 `0 n5 L4 i5 T5 f- G
1 X2 k4 q, W0 D
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 z$ I ^3 @6 b" l" J/ P8 z SoftICE while the option is enable!!. Z5 [, T" ~3 e5 s! w- c4 }+ ]3 e
2 P9 m$ B' |( e/ S5 I# rThis trick is very efficient:
; h% h. S0 |, _( z# fby checking the Debug Registers, you can detect if SoftICE is loaded" M: A6 q7 o; R8 B# L- ~. Z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 Q, L( b1 m, D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! V, \4 \, D8 _. g3 ivalue (in ring0 only). Values can be manipulated and or changed as well. c& l0 P$ N0 G3 s; ]
(clearing BPMs for instance)
$ c3 ^6 q. D' @& B6 _, ]% _! E p" g+ t7 r+ [1 h
__________________________________________________________________________
' ?% a* ]. V8 t9 j0 X; s) D. o
2 K" X0 x* Q% j2 Z4 X9 y: JMethod 11
% J& r3 f y8 w6 m=========# d+ ?/ }1 B7 A
8 X2 z7 s% t3 w
This method is most known as 'MeltICE' because it has been freely distributed
7 ^3 a' X. e; Lvia www.winfiles.com. However it was first used by NuMega people to allow
& f) Q! j" M4 P) ?5 CSymbol Loader to check if SoftICE was active or not (the code is located7 _# h8 R" K! B& L( K
inside nmtrans.dll).
" S f h% ?2 r5 \* K+ o4 z- Z7 ~
" O& L3 P' J2 N eThe way it works is very simple:/ |+ R, X) e* a- ~9 g& {3 {, o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% V7 g0 \! l( f& w/ H/ _
WinNT) with the CreateFileA API.
: k/ {5 Q1 B$ S5 x5 c' h" A
9 v7 r2 w+ h$ f- MHere is a sample (checking for 'SICE'):
" m0 s. r1 D3 M% i& L0 @
' L8 E5 U) q% Z0 K- t4 yBOOL IsSoftIce95Loaded()
4 A0 K+ M( S1 ]0 r/ H V' U2 ^{/ H7 q" M8 @( g3 }' I
HANDLE hFile;
# A3 |$ Y+ ]/ b# Z# V8 F8 i% [ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! `% g3 }9 _0 \! s
FILE_SHARE_READ | FILE_SHARE_WRITE,
: o/ E- k9 w: ~. U$ v! `1 ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 l: R# J7 c- b. \
if( hFile != INVALID_HANDLE_VALUE )' {: y/ q* @0 A! W
{
! {- _3 V. V& W; {( K) |' \% f CloseHandle(hFile);) ^ }4 B: x c0 u3 S
return TRUE;2 f9 f* y$ R5 Q6 I0 w, K
}
( N' s" V: P0 s return FALSE;# L+ S- q( k6 C3 K6 c# B
}5 d0 Q: K/ ^6 k9 n9 C0 o
) F/ |7 l0 I$ h) O! PAlthough this trick calls the CreateFileA function, don't even expect to be9 ]% p: G+ @+ {& {& ]
able to intercept it by installing a IFS hook: it will not work, no way!! G) O) o+ U [* I! f7 n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: O2 J3 y0 d7 C* ^3 Z3 f. y. tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 o8 _4 }, {# R& m& ~, ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# e' ]! r/ v: p4 M- A9 Dfield.! p0 n0 Y; F0 W0 y
In fact, its purpose is not to load/unload VxDs but only to send a : f8 M# K- Q4 {$ ~, r0 ]$ s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); @) h; p1 O" i' v2 \8 A7 V0 ?; _+ C
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ M' E. f* g: a) |
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* l% _' P$ D& `% iIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 D" `$ g' D: Z" Yits handle to be opened and then, will be detected.
, u5 A4 S ^/ m' x6 {) aYou can check that simply by hooking Winice.exe control proc entry point
; c% x# b- ?& m' [while running MeltICE.+ x& }+ G! ?* ?- |) }- |' a- c
9 }& w* j. p$ ?0 C
/ f' S3 T$ m. M% S% D3 k0 j 00401067: push 00402025 ; \\.\SICE
. h- V+ c( d+ R7 @' ~& ]8 F 0040106C: call CreateFileA% Q' T* @+ \( u |1 R' v
00401071: cmp eax,-0014 L, u4 z& ~5 L4 D
00401074: je 00401091
& r( z" q6 j. i) K7 j) [4 |7 D
. a# @ a: H `. b0 x6 a2 _7 t" H: Q* p
" q& a1 j9 f0 n& mThere could be hundreds of BPX you could use to detect this trick.. p% F$ t+ G+ S$ b# |* o* H Z3 o
-The most classical one is:
9 Q, e/ }( x0 H! {- V8 ^# a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ }$ \/ G8 V/ R$ G
*(esp->4+4)=='NTIC'/ V$ F$ i% E |2 g, f" R
h7 ?* M. S1 }3 z+ f-The most exotic ones (could be very slooooow :-(
. J) ]$ `: h& V& y2 U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 O. ^" A$ P! U! n- q! c ;will break 3 times :-(
7 _9 R& l$ i" v; c9 {0 {/ q$ P
7 e C# v8 k) v. T: [5 g-or (a bit) faster: u w, S5 ~ o' C c- [
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# ?$ {% r) z+ R+ J
7 V' D! O% `3 D5 A* z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 k$ L$ w/ _; q/ i$ V ;will break 3 times :-(4 f( d$ _4 a" {% V Q! P
# l! k' l4 I5 V4 C. i% V
-Much faster:6 I8 l& p1 o; X# q, Q) M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- i8 J2 v# _( J4 j
4 V# m: q4 P; h! e6 g. SNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) t5 A5 F' y/ [* f) q3 Q7 q. p
function to do the same job:1 W& M/ r4 K, p
7 p& l9 `7 V- H u3 |8 T push 00 ; OF_READ2 Z; i" \7 H! O. h% u; m
mov eax,[00656634] ; '\\.\SICE',0
3 O% }4 O. P+ H4 E push eax* J) v! ^8 _5 w- l" Z0 O* R
call KERNEL32!_lopen
: z ~ L8 k/ x inc eax
h( I7 h5 c9 z/ a3 g9 u! i: H$ y jnz 00650589 ; detected
& [6 {/ x# X! S3 e+ l/ S push 00 ; OF_READ
5 ~0 p. j1 L0 m. l mov eax,[00656638] ; '\\.\SICE' ]' n$ S$ a& O& q# ^6 W
push eax
8 m5 K3 T- U5 [* v) i call KERNEL32!_lopen- B$ q$ P# }' c& S# a: ^' ?' s
inc eax
/ b! Z3 w$ K" |/ ^1 c( @8 u jz 006505ae ; not detected
6 K+ j7 z6 E4 J d$ `. n @* [; M5 o6 r7 L
- B6 K# y5 o: t2 z7 X: }
__________________________________________________________________________- `. q' F$ f- V" s8 P. f5 o, a
; O' }5 D/ L, v5 ^: _3 J( p# ]) J# y
Method 12% A2 y: K8 a& |; B& [8 h# [( w0 l
=========1 \" c9 m2 j/ {5 ~8 r0 a# W
8 @- `0 ]7 \( O/ I1 \
This trick is similar to int41h/4fh Debugger installation check (code 05
7 R" e8 N& V9 C; f$ w& 06) but very limited because it's only available for Win95/98 (not NT), K$ ~/ k/ z, q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ O: X+ ]; O1 \0 r# y; a
$ v1 g( |) C9 V) u5 b push 0000004fh ; function 4fh
" Q W& P0 {' N# c9 l2 ^7 B" @8 } push 002a002ah ; high word specifies which VxD (VWIN32)
( s! D3 F# x! @# a8 i% Y ; low word specifies which service& L3 H L9 }0 C1 y5 ]
(VWIN32_Int41Dispatch)
" M, Y+ b* H6 T2 z' l! n1 H call Kernel32!ORD_001 ; VxdCall3 K4 [0 l* \" J" L/ x; [) J4 k
cmp ax, 0f386h ; magic number returned by system debuggers
7 z$ u5 D$ m+ ]7 { jz SoftICE_detected+ o* ` V1 X- Q' P& I' ^; u1 G$ U
: C% P8 y: A* p" S
Here again, several ways to detect it:0 j& L3 a! b$ K8 P3 V: W7 |
8 S9 E. G8 b j B/ i% B G$ b7 [* O8 P1 ~ BPINT 41 if ax==4f- |! m0 E& i' ?* I% A
; _/ O0 @6 H/ d. [0 R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. ^/ l) M, Y, ~* H" l: A
( N1 ]1 i1 l: T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- _! M. G4 m( ^, U e/ R
: j' A7 J7 n! F3 N& `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: ^: N% R) E: {8 y) u, U
/ Z; m' E" r+ @4 w u__________________________________________________________________________0 F% |6 ^! q; _6 M4 M7 W& T
! C" ~; [% z8 ^0 n+ Z# m6 L" e
Method 134 D* @. k0 G4 u; G5 p. P! H) {
=========6 a1 H0 y3 R# H+ |: C% q; {
3 i% E6 o% h8 l" K* s; a
Not a real method of detection, but a good way to know if SoftICE is$ ^6 Z; V$ ?2 {3 d& o, `
installed on a computer and to locate its installation directory.9 w% T/ B9 _+ U& y
It is used by few softs which access the following registry keys (usually #2) :2 s/ g5 g' H4 h% z* ]( S
% g& ^) M" F: q! @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; P1 K: \% o/ ]% J1 c\Uninstall\SoftICE2 [6 m* K# [; q$ H6 R4 r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 g* N* n' s+ l9 F& ^. Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# m1 @ p% M2 n; {& Z! J2 W# B/ ^\App Paths\Loader32.Exe
' h& @6 h' k" f, `. R$ d
' t; C; o# j) S2 G& y! s
, b$ M' ?; i) ZNote that some nasty apps could then erase all files from SoftICE directory
* \4 f2 f9 n7 u+ [7 d2 e" I) _+ q(I faced that once :-(; }# Q6 o# I1 d$ \( d* z
% N6 R) a: ~* M4 lUseful breakpoint to detect it:% l3 o% B5 M! E
3 U" t9 m) t" D- A7 E$ ]
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ b& e; G# a- K3 d6 o; S$ z
' X7 b/ |2 Z0 z/ ]8 b# D__________________________________________________________________________
+ Z7 w+ {% j6 w: y1 q
8 _+ I- Y) ^9 g2 |4 U6 r% @' _7 q6 i ?& n1 t0 @ ^2 u' X
Method 14 ) F/ g% j& F# x2 r' V/ C" ?6 D
=========9 |- V) Q X* g. q0 Z4 i: g1 T+ a5 y
' ?2 w8 g8 k1 s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! A/ j$ M9 T V; D( W1 y' \. F
is to determines whether a debugger is running on your system (ring0 only).
3 K4 \! G: d& i+ e# ]9 K( W. G0 V6 v+ {( u
VMMCall Test_Debug_Installed2 `$ h9 U4 {. R0 H; `/ K
je not_installed
. I: W9 M. q; f1 }$ v4 s7 [4 v% `: O; U! k& ^# ~
This service just checks a flag.
9 k, X+ W! h$ e</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡