<TABLE width=500>
* B0 A h9 l. x. V- h" B* d4 @<TBODY>
5 c4 F1 G3 q. q# S& f8 [+ n<TR>
) U8 ^8 ?$ f& x. V<TD><PRE>Method 01 , @# A; T* \7 `5 c2 E2 \9 O- P
=========% |) m. n" Z3 G+ G% M# a) d+ d
! d2 l' z5 B0 B' N, S7 M
This method of detection of SoftICE (as well as the following one) is( @1 S# \7 T0 a2 ^! [- a+ |) K
used by the majority of packers/encryptors found on Internet.
6 i- _7 G, D8 I% s/ F/ CIt seeks the signature of BoundsChecker in SoftICE
9 K1 k) b: x/ e3 |1 }' A* i0 y8 P. Z8 o( q
mov ebp, 04243484Bh ; 'BCHK'" d4 }8 P( d$ Q2 X( k+ {
mov ax, 04h
4 U' Y9 J8 r4 K7 x3 q# y# P int 3
' r D1 b* R+ G cmp al,4
# w, f2 H3 o9 B, |" J) Q9 y) Q jnz SoftICE_Detected' Z; k8 m6 v2 _2 Z3 k
" p; t5 F) H9 N/ m* A. {$ Q
___________________________________________________________________________7 S: i# X5 {6 r1 `$ [: z, L
- L) y+ m+ Z' a% Q2 X+ {" V
Method 02
( u) Q" |, k" N1 R=========
; y& Z$ C" }) t. }+ x7 T0 R! G
0 r7 g, e) ~3 x6 ~- p2 OStill a method very much used (perhaps the most frequent one). It is used s/ s' H* Z2 t. ]+ D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: I7 K+ s7 H* U; ]7 n% C
or execute SoftICE commands...
4 B n# ]% n; U6 bIt is also used to crash SoftICE and to force it to execute any commands
( f Q) E4 F0 |3 y(HBOOT...) :-(( 6 c' Y2 }. l3 k5 m0 F- U
2 l) X9 y# D, o ?. @& _
Here is a quick description:
; c! j1 @' z3 o8 {4 g2 R1 X-AX = 0910h (Display string in SIce windows). a3 K3 L4 E4 G: Z; y3 d
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 F/ |& g' y0 d) |' u7 B% f( j- S: \-AX = 0912h (Get breakpoint infos)
7 A- S8 V" d- ^-AX = 0913h (Set Sice breakpoints)
: S7 ~' V* W! i% L( a) ^/ X& g8 m-AX = 0914h (Remove SIce breakoints) A6 R7 k/ ], q1 Q* W: j9 S
" Q: D7 @) T0 s
Each time you'll meet this trick, you'll see:
& H0 m; k7 W! l8 l-SI = 4647h
3 Q; y {3 @0 c7 O: t-DI = 4A4Dh! m1 A3 V; O" S5 u- u H" Q+ `! q4 h
Which are the 'magic values' used by SoftIce.
0 k% R8 i3 e7 b( D4 G. FFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 d- O3 Z3 f; m$ T4 [$ t
4 \$ C4 S9 C2 T& e1 s5 B6 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP% v; B% u1 O7 p' I% W; C- D
Envelope utility use to protect DOS applications:
$ n V$ y/ B- i' W* D$ v0 F5 u% T" Q A/ J. K6 Z
1 L7 y6 W: U: F c# m4 M( T
4C19:0095 MOV AX,0911 ; execute command.
. M T: r: ]# o" F0 Y% ~/ A) H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. j( B; }! w+ ?) e: }9 j3 R% I ~
4C19:009A MOV SI,4647 ; 1st magic value.
: Y T2 q0 m" b5 X: Q0 b+ I3 |3 F4C19:009D MOV DI,4A4D ; 2nd magic value.- v' y p. w. F0 T7 _3 }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ A4 P: }! o7 x3 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute S7 o4 n: g* @8 e3 V3 R0 k
4C19:00A4 INC CX
8 F3 y6 D9 x C; r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! V8 X9 w5 x R4 j( G- F/ N4C19:00A8 JB 0095 ; 6 different commands.
) K% h" C- U% ^1 w4C19:00AA JMP 0002 ; Bad_Guy jmp back.% |" ?7 u2 K v1 k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ B9 s2 r& D {9 F1 |
) b2 A" D. l2 U1 B# o% O E& c
The program will execute 6 different SIce commands located at ds:dx, which( i3 Q. [4 V+ i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ l1 {- m m0 D' r
# V2 f- u% ^8 o2 w
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., J5 _# t/ b5 u
___________________________________________________________________________
3 S) H. z5 X2 I b* m5 Z$ B' @' q. e" z% Z" d
0 Q6 A6 t6 j% g9 R( x5 G. o& O
Method 030 }6 m* R4 i1 }# I
=========* i* o! P6 ]- Z' m
/ V" } K2 z/ n( kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 }& I0 G) G0 M4 Z(API Get entry point)
3 j6 a0 p) ~) }' G& [: O
, w7 n5 ~+ d F
0 h' x3 w& O% ]7 r/ M! c0 f, p xor di,di
! R+ \9 U0 M/ v/ z mov es,di1 a* b! g4 f) s* {
mov ax, 1684h
- H. C* V2 w U mov bx, 0202h ; VxD ID of winice
$ d) [6 w( d6 V0 c9 _4 V int 2Fh
" B! N& f! e6 q1 S9 t( W) M1 ], Z mov ax, es ; ES:DI -> VxD API entry point9 `, X. ^4 g! ^
add ax, di$ R; b+ \& h* j6 p$ X
test ax,ax2 r5 U5 u! v9 l2 a& G) Q
jnz SoftICE_Detected
) ~! ~4 f+ ]4 ^5 ~ d. p6 l9 j2 Q0 @( Q- ]- F
___________________________________________________________________________6 [7 R+ l5 Q, c
; I, r$ ^8 y# S/ x
Method 04
0 P/ _: |/ d5 ~3 W=========
: @9 F: C% r/ H$ G+ A
% R: s) r& [# m. ZMethod identical to the preceding one except that it seeks the ID of SoftICE% v' k l- m o$ r0 U9 V; \ i
GFX VxD.
* N$ o3 t7 A, b# M
0 [8 d6 `: K" A9 r! R3 G4 f1 I& E* V, w xor di,di; m9 y! \+ F) n4 {4 r- U5 z. r6 x
mov es,di' q7 _/ E- O& c
mov ax, 1684h
& I( _/ R' Y2 e7 r3 ]( f0 I mov bx, 7a5Fh ; VxD ID of SIWVID
' J# f3 @2 T0 n int 2fh' e3 T- i1 l# d& Y, `
mov ax, es ; ES:DI -> VxD API entry point# }/ k' [1 @8 ]& F
add ax, di$ M6 ^( k. C' }4 K+ D
test ax,ax) ]% p( W3 Y4 S% e: S/ r9 }1 Q
jnz SoftICE_Detected
) B( H# z! `( }" m
p" a, \% r S2 T+ y$ p__________________________________________________________________________, C8 A8 L9 J9 t
. g; G' [% K/ ?
: a E6 \ S' o0 v" m9 g
Method 05
5 k1 W! L* W; i1 ~- M) l=========
6 k8 Q) C0 f. C: s: i
; n3 M2 z# {% _' W, JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% E- |" q+ n. w) {& fdebugger. It calls the int 41h, function 4Fh.$ k- z& O! \0 @; @8 m4 h
There are several alternatives.
( z* r. Q0 n1 \1 ^4 H3 ?, F$ h$ d6 C# k. O* Q. _. z. i
The following one is the simplest:) A. |. R! F8 t7 A
$ O+ N$ \8 s: [* D3 q, a$ X- X mov ax,4fh
3 x4 G9 E, t$ }8 X9 S' J" f int 41h
- {( |' X/ G( Y$ ]+ B2 k# B cmp ax, 0F3863 P& Q- P* ]& _5 i9 P
jz SoftICE_detected/ |# J# X# K. r
8 d. c) [! l" ?. y7 i: k: v7 s4 {
. a: O. a1 e( U) UNext method as well as the following one are 2 examples from Stone's + k% z c2 Q* A8 f
"stn-wid.zip" (www.cracking.net):
6 ?" R8 k, Z2 e: W9 y
8 h% \9 i* x" s7 F1 z" q mov bx, cs
: f E$ q. O9 y4 ~! S, S lea dx, int41handler2& r% }3 ^8 @' i
xchg dx, es:[41h*4]
5 i* X, y6 P# y1 J5 J% ?0 t xchg bx, es:[41h*4+2]
6 I6 @2 d; n2 i mov ax,4fh, v8 {$ \8 G3 D6 X
int 41h+ e. J' f- S8 B% O/ t5 q
xchg dx, es:[41h*4]4 o6 U& B8 S1 \7 `- F4 D8 b
xchg bx, es:[41h*4+2]
" R4 O) ~5 c( z# K% n7 G cmp ax, 0f386h
. l* J+ M! K( r3 E0 @ Q# ^) C( {. K jz SoftICE_detected0 }9 p6 r x8 k t
; |& n& e1 m' Rint41handler2 PROC) e2 O4 E- p# b2 h
iret, N/ w; f* p! y* h; t- o$ ^/ R
int41handler2 ENDP* E5 L- B- B1 G; l4 P
' O A& v9 |/ J4 ^/ l b/ y/ a) p @; v2 a* B" j
_________________________________________________________________________8 A0 p/ ^+ C1 ~5 C
/ B( u% q2 ^. t' c9 h8 o5 q- ~- B/ R$ j, ~7 P, G# S
Method 06- s* g1 J0 \6 ?. w
=========4 Q' o( t# w4 H$ p6 |; |% g
! l/ P) p5 h# e, v" z& ^/ A' O
8 T4 m3 n1 k7 O2nd method similar to the preceding one but more difficult to detect:
% h. R1 Y% U9 d5 e K) I) A+ D, x/ Z
& y" G9 z0 o9 \int41handler PROC
/ \& q1 Q( v/ B, W9 I mov cl,al. l* m+ s6 U, d( ~/ W r
iret
4 X z# S/ l+ B9 ?# f% e3 Dint41handler ENDP
6 d+ C+ F7 I6 L" ~, S% M0 G; ~
% ~& Y* r$ |) q7 s2 p; I! G9 z1 Z5 l# P" c7 x9 W/ W( R
xor ax,ax0 E/ B# H8 Z# T* b
mov es,ax
5 Z1 ?5 Y; {. t2 o; b) Y9 N mov bx, cs
1 e# s0 Y+ l3 \' u0 } lea dx, int41handler
6 K0 J1 X! I$ M* r xchg dx, es:[41h*4]
6 f* g# i7 e, g; B2 X xchg bx, es:[41h*4+2], I' D6 A$ p- r+ A, S7 a& U
in al, 40h: {3 M* a1 V H0 q! {- L$ q
xor cx,cx3 m. R1 X: P7 V
int 41h! y2 i8 |. U1 v1 D/ ?
xchg dx, es:[41h*4]
) K* U& T1 Q3 p! A, e/ W$ h xchg bx, es:[41h*4+2]1 H) `2 s( U4 `9 y' M. ^; E0 \
cmp cl,al: h: p. k" \( f
jnz SoftICE_detected0 S5 l- m2 F$ T0 R
9 o- I, t/ I- U V8 V6 f
_________________________________________________________________________) u" D( o+ I2 w& P: v- a
5 {7 `2 y5 w# z& @1 Q$ n
Method 07
0 V1 x3 {2 t! b1 X: y* k=========
$ Q* j/ ?* L/ n% _: \6 r
. w/ [ m0 o6 c; X6 Z; ~ E3 @0 fMethod of detection of the WinICE handler in the int68h (V86); w" P" [1 N8 F! ?
}' `: a0 L2 h4 l. W7 }3 j5 ^" o# J mov ah,43h
2 J1 R3 [% \. }/ p9 @, j1 n int 68h2 K* |* e5 ?* S& ]$ p3 K
cmp ax,0F386h
, a& t- `+ Q* t" J9 p2 E7 T, v0 n& S jz SoftICE_Detected
- ^, t8 r$ x/ l$ Z: j( j4 [9 c- g3 y+ }. z; g
; f9 P" B* m/ A& u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, ?6 H; d1 ?- A! o app like this:
4 v! i. r! {! }6 g- \. n
; R2 |+ A( ?! ^2 M( l! h, T8 Z BPX exec_int if ax==68& t9 j# N9 c7 _" `1 ]- Q
(function called is located at byte ptr [ebp+1Dh] and client eip is
: y( D6 i4 H6 a/ f' [( N! Q located at [ebp+48h] for 32Bit apps)1 ~. {' ^$ \$ s! ^
__________________________________________________________________________
" \3 z2 ?# g1 `2 L# B5 f" r' B5 _2 c( `5 s* j# w! I
6 `1 }! R! i- r4 F- s
Method 08
4 t2 w% z0 W. w! u. k=========5 N6 {) ^; o/ J' S# y: _4 y6 }) C9 M
0 F4 R1 \, n: z
It is not a method of detection of SoftICE but a possibility to crash the
( E9 A4 U$ z( A3 [8 I! P: V* `system by intercepting int 01h and int 03h and redirecting them to another6 b5 C6 {( E: ~& S% S: c
routine.
$ c. r. S9 R$ r. f7 b- q& ^8 SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 V' j* y1 b8 E* B( E4 K% Dto the new routine to execute (hangs computer...)6 a) x, L0 s" Z+ p3 p I
7 k) m* }7 S' c3 w mov ah, 25h1 Q( d: |# [9 k
mov al, Int_Number (01h or 03h)# v2 d& `, c& n7 z& U1 `
mov dx, offset New_Int_Routine
8 a) ]3 C, N: v8 m! x8 A1 B int 21h- |# f j% ]/ H/ ~& D2 e( E5 d
M- q# q* D* ]8 w
__________________________________________________________________________
+ A5 w5 t9 b8 Y: v7 X
* P! J3 I, C4 k3 _8 NMethod 09+ j6 Q- S9 j3 q' N
=========
( ?, R# D' c+ q: @& X; ^
' {" _+ M3 U. k: ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only t( Z& i. {- h; C0 f# a
performed in ring0 (VxD or a ring3 app using the VxdCall)./ o* w8 @3 p% h
The Get_DDB service is used to determine whether or not a VxD is installed9 M, L! `0 Y5 A5 m$ `( v R7 u3 t/ z
for the specified device and returns a Device Description Block (in ecx) for
4 d' w' x8 o! q, {& X1 e& wthat device if it is installed.
8 g& q" N! ~# x' P7 O
6 r5 I" o5 y6 v. s/ a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 G. X2 c7 q: e* Q ]; z- E! t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. D( \$ A4 r. \4 R/ e VMMCall Get_DDB( ]: D0 N& x: S C# y+ @0 p/ |7 e5 }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
c) D1 f4 x+ q$ d D/ {+ F1 g; O- B" H* x2 B* G3 n, w
Note as well that you can easily detect this method with SoftICE:! u2 @! }5 j% o
bpx Get_DDB if ax==0202 || ax==7a5fh
" M7 m# @) J+ R& R' m' x
" x7 p/ v) E y- g& Q__________________________________________________________________________$ m5 V2 ~% W9 W3 _
$ p& }# o6 t8 {0 F
Method 10
/ v8 j6 X- t% q6 c4 |, C=========" B" {+ F1 {. W
+ m7 ?* }0 d0 k' |% ~( D8 }=>Disable or clear breakpoints before using this feature. DO NOT trace with* s' G& u% y" t0 m
SoftICE while the option is enable!!
0 p* J8 v8 ^( w7 y- o+ ^# I3 j9 T: Y- V- i5 w6 j
This trick is very efficient:
, T7 Z1 T* C; u: \4 L- zby checking the Debug Registers, you can detect if SoftICE is loaded% Y: h$ t: }% M$ j* c# B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' Q" n/ d$ T; S q( X2 H/ {4 _: mthere are some memory breakpoints set (dr0 to dr3) simply by reading their* J& j( B' S! U0 J
value (in ring0 only). Values can be manipulated and or changed as well( S2 N3 g6 Z1 o$ ?& l
(clearing BPMs for instance)$ A* g4 T- w% G
; }3 I- C) D! o5 t, E
__________________________________________________________________________% Z( E% a, A. `; o+ b4 `* N
. ?* W6 d& Y5 S k1 x7 A% p6 c' a6 OMethod 11
4 O$ r$ P+ V* J, E. R8 y" \=========) l M4 u9 e6 [: L3 g
# D! G: l6 [ J; z5 {6 W" O8 BThis method is most known as 'MeltICE' because it has been freely distributed; W# f; n3 {9 d& p) _
via www.winfiles.com. However it was first used by NuMega people to allow+ }* X" K4 ]. Y
Symbol Loader to check if SoftICE was active or not (the code is located8 E5 P# I* n* D( k
inside nmtrans.dll).
( f( q9 H& j4 k, w3 m6 F% @
1 @; e! ]- y+ X7 |& _5 CThe way it works is very simple:3 `. A8 |+ W5 ~
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for g; ?6 ?2 W( @3 w. ?% f
WinNT) with the CreateFileA API.
: S1 g4 Y$ w5 ?* R9 W
. ^, x2 g) s" u/ a/ w- gHere is a sample (checking for 'SICE'):
) z4 S" N6 ~7 A; {5 Q6 O+ T% V
5 x9 Z8 P, F+ vBOOL IsSoftIce95Loaded(): T3 W- g; P; @9 k' Q
{
! m+ s$ ^4 E: a5 [8 B" X% j# z HANDLE hFile; . R8 ~9 S9 q: c4 i3 U7 c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 H+ C0 e0 I+ @0 a$ {& A) j/ S2 r
FILE_SHARE_READ | FILE_SHARE_WRITE,
5 p! {& @# O; W. V- b7 R NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ j) U0 f0 G( S3 x1 G& v
if( hFile != INVALID_HANDLE_VALUE )+ K% P3 ]5 n" p" d/ P# Y: n: h
{
# Z1 e2 P) f+ G: d" t- ^' G$ \1 L7 V CloseHandle(hFile);$ P" G) b2 L1 Q
return TRUE;2 V- g3 u: J$ e& X: e& S* {
}. h" T1 n( u# S" H# J
return FALSE;
: n* f! X+ v( C, W}) o) \4 P8 s z# k# v: ^
! J+ G, W( _& U! @/ ~, B B) Y
Although this trick calls the CreateFileA function, don't even expect to be7 r# H( F& c! r3 a' q9 J
able to intercept it by installing a IFS hook: it will not work, no way!
3 W2 Z) Y: M8 Z' h o. e9 {In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 {. P' r( n6 k4 r7 M. }' ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 M4 Y2 G" C0 h& Y+ pand then browse the DDB list until it find the VxD and its DDB_Control_Proc- X$ g; U- L9 v6 q* D9 Y
field.) K. [" ]+ g2 U6 \5 B! Q& R
In fact, its purpose is not to load/unload VxDs but only to send a 8 v' a ~2 S' s) X0 |8 J% U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ O# y( V: U$ {+ W; A7 F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 ?* _2 R, I1 B# d, e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& K! ]* q) x1 }" b0 c
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ G, F0 v4 |" S Q8 kits handle to be opened and then, will be detected.
# O9 r& _2 h( v+ B6 N' |You can check that simply by hooking Winice.exe control proc entry point
& o9 Q% n% c9 ^- R! L3 Owhile running MeltICE.% b% S+ R. j. V* ^6 t! \4 Q
6 H' x% d0 F* h$ Y: s+ ?
% l6 A) f- g9 s" v# W$ B+ C 00401067: push 00402025 ; \\.\SICE
" Q; D8 s. ]7 y, t& Z" B: q 0040106C: call CreateFileA: I0 ~# G* U @
00401071: cmp eax,-001
- \% K" [1 T0 T' { 00401074: je 00401091- U3 J" ^# `9 V2 k
8 ^% D$ E+ }! f o; G
/ _: k3 l7 N* q# t8 s+ u: x- UThere could be hundreds of BPX you could use to detect this trick.
( @+ u7 b# g! O c3 i-The most classical one is:' O' N: P2 p$ O& |) V6 C) S" g8 U8 w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; w: p6 d+ C1 e! J8 V5 M *(esp->4+4)=='NTIC'
! o+ B+ R. u& z) ?( \7 g3 l1 D+ x( S! p/ E4 B% u
-The most exotic ones (could be very slooooow :-(
) S5 G* M. N: F0 b/ Y1 J* x* ~' \ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 l% d1 J, v5 x ;will break 3 times :-(
' Z0 n; d) k X! z2 m
, z2 t, v3 v1 Y5 l4 m' m-or (a bit) faster:
5 s/ }! q& p6 V7 e3 Y: L6 b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, I o4 ~3 p# }4 _; `; P" \, w* {8 r Y& ^
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % s! T) ^0 z J" t* N* }8 i
;will break 3 times :-(! H: \6 `3 a; `: c2 S! }
6 ~% C# m! ~' c4 ]+ {* Q, Q$ X9 ?
-Much faster:7 p; @9 x: `( I/ v: [; ^" i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; k, e+ c$ L- ~4 t
0 X9 g1 i# i: q, P$ ^% {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 Q% _5 A" ?: afunction to do the same job:
9 r, f2 u- Z$ T1 X# p {- A3 N2 z9 n8 h o
push 00 ; OF_READ1 r$ j% T4 f1 h1 S+ D. U7 O
mov eax,[00656634] ; '\\.\SICE',0" r8 W3 H# l w- j+ H
push eax/ A1 a6 Y/ v" b) m- b* N8 O3 o% o
call KERNEL32!_lopen
0 A8 O, z8 Q- z6 |8 [8 i! c4 T5 _2 J inc eax+ t. H* V+ ]: c7 n* O$ r8 a$ y' a
jnz 00650589 ; detected% T, b7 _0 n4 m3 n
push 00 ; OF_READ" M. T) d1 Q" [: y' c1 h1 R
mov eax,[00656638] ; '\\.\SICE'0 y: a6 g" t5 g/ ?( z2 ~
push eax( k o/ q/ s- i4 G+ N! P8 e' {
call KERNEL32!_lopen
7 t7 p- w; Y$ N inc eax
4 ]6 N3 @& R9 @* f" O& u; n) E4 N jz 006505ae ; not detected
" h: b2 k. [* b& \. Y4 `! @
2 l* v" r) [8 ?5 ?: C& d' M
& {. e. ]- h7 D0 u__________________________________________________________________________
9 G' W/ M* N4 E- _/ Q! ]
6 v0 @/ @0 f! Y7 gMethod 12
7 a" ]9 t* [, D! s6 N# F f=========
7 X/ o9 E7 U" H* @ F
9 S! j" a2 {- a) e+ e iThis trick is similar to int41h/4fh Debugger installation check (code 05
0 u" Z* P3 }/ F$ T' L& 06) but very limited because it's only available for Win95/98 (not NT)
: b! a* Q! J7 T& U. Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 J% I& q) ?% I3 E( P1 a/ x K
+ [2 k5 ^+ F0 f/ ?' F
push 0000004fh ; function 4fh
1 u, w: R% O/ u. o* s: E push 002a002ah ; high word specifies which VxD (VWIN32), {6 H: n0 R! P3 ]% V2 }
; low word specifies which service
. k! C% o; K5 H# M( N* A (VWIN32_Int41Dispatch)
% g1 o0 w. b5 Z I2 m" L" k call Kernel32!ORD_001 ; VxdCall7 P" u$ S3 n1 d- _( b) L% X
cmp ax, 0f386h ; magic number returned by system debuggers
% ?/ }4 p& G& v2 n jz SoftICE_detected
7 s. R; N" K6 V. B- w; k" B9 U% ?! Z, H2 v
Here again, several ways to detect it:4 T! p5 s. l* A5 |: x! V( O
# I: J* a$ ]8 j0 e N2 J5 s BPINT 41 if ax==4f8 K0 H! g" e7 U$ D) y
$ C3 s9 z6 V; u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 j) Y9 p: l0 ~& B/ u& [% b
4 i: P5 ~% x! {6 c N* g8 j d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ M! ]3 H+ D4 N3 I8 U; e
' V; x5 q1 E& a2 Y' \ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* l* {5 h5 e! ^" ^3 E% l( L
& }' U* n0 r; R R$ P4 M! ^__________________________________________________________________________; V& M; M% f7 |' Z. B0 @7 z
) T* t# @* E! N$ p2 W( f- S' EMethod 13
2 f i* l/ Z) h! }. |$ L=========
, V5 y2 _6 U8 F# s) J9 e& c
. J0 e E( b* ?$ hNot a real method of detection, but a good way to know if SoftICE is. x" h# u$ x: n
installed on a computer and to locate its installation directory.
; H b7 Y' q5 Y8 oIt is used by few softs which access the following registry keys (usually #2) :
/ x3 i, n* V( \7 |0 {0 v3 |8 ~0 R! e7 k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 ^# G. Q* }' P2 n, x5 X3 B
\Uninstall\SoftICE
- [, y" E& u" V8 z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: f' _: V) f, H7 r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 {: P" c* E/ f1 p
\App Paths\Loader32.Exe
# n6 I; X7 I. w9 Q3 b: M8 x! |0 ^& k8 f, P
3 j& b% b' B/ p% l; |/ S8 t |Note that some nasty apps could then erase all files from SoftICE directory
! b& N! P9 K/ t7 K8 w+ m. a(I faced that once :-( y; R" P4 `6 i. R
+ [9 O) f# @# o, m4 z0 O
Useful breakpoint to detect it:8 D5 D B! R) Z1 C
5 C$ O0 S1 l8 w- Q+ y3 a
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& Z3 z2 J: l7 \* }1 X B- n! Y- R! R8 [ l b
__________________________________________________________________________2 ?7 K# p- z% H/ j: X' P/ i* d9 c P
( o [' c# z' ?+ [( _
) X1 a& J1 ^4 KMethod 14
+ k6 N5 Z. X1 B3 W( K2 X% b. V=========6 Y/ I3 _2 q/ ]- V5 }, h) Z
" c6 v# b1 T" O; `) aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' K7 q* t( L* C: G3 F1 o, I* W
is to determines whether a debugger is running on your system (ring0 only).- G/ |: i: \+ ]; n9 b! h9 p
. ~6 D {& a! O0 {6 }
VMMCall Test_Debug_Installed
8 m( N5 d. E# h2 C( Z je not_installed# @' z. r' N, U& h; c$ E4 ?3 {& t
8 ]) A4 @7 W- z2 S) R
This service just checks a flag." ]) E+ c& E$ w( I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡