<TABLE width=500>
# c" N# w) J7 @<TBODY>$ J, Y- w- ^4 y* Y; S1 p
<TR>
9 t( A" l8 U- q k6 d+ p7 l& o<TD><PRE>Method 01
7 U0 P. l! ^6 L& X=========- O' T2 y; x! k7 Z% Q
$ o( |; |4 l% b9 m4 @& _4 k& d
This method of detection of SoftICE (as well as the following one) is5 H' K, a- }2 ^7 F7 \
used by the majority of packers/encryptors found on Internet.
" a" N" v, ~: V/ T( TIt seeks the signature of BoundsChecker in SoftICE$ m! m8 `% H& b; w
5 f, n' T3 i! a: ^ ~ mov ebp, 04243484Bh ; 'BCHK'
* x5 F6 s( Z0 l( M9 { mov ax, 04h
) S9 I- {' ?0 x4 v7 m* ~; x int 3
% ?6 @1 d0 [2 w2 ?% W0 ?1 b! I' W" [ cmp al,45 N0 D, z [# z# q1 ^+ U
jnz SoftICE_Detected
2 x# F" K# \ E1 r
1 v* j' Y" ~, D9 C2 @! f___________________________________________________________________________- _4 g6 q! U2 u( @
" b8 s. ~, l2 e( bMethod 02
9 n2 S& m% X h A0 B=========
1 e* v- X( R, v8 _$ V: v6 g1 r" b" e' u- ]! j) P
Still a method very much used (perhaps the most frequent one). It is used
& P2 A2 \2 k8 O4 d5 M# k Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 {0 p4 l! }. por execute SoftICE commands...1 h6 G5 q" T, \6 n
It is also used to crash SoftICE and to force it to execute any commands& Z: u$ ~4 P! w" [
(HBOOT...) :-(( ( L6 g0 R2 d0 N4 v+ Z. C2 `
6 I& N2 b" @& ?! N
Here is a quick description:# a Z: {3 ^9 J( w$ V
-AX = 0910h (Display string in SIce windows)% p0 {5 g) Q& ?, l! ~9 `0 V7 }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" a: t {$ r0 G1 \-AX = 0912h (Get breakpoint infos)
& ?1 I+ m0 H' @" U2 T G8 J( L-AX = 0913h (Set Sice breakpoints)) N5 `. r! N% O; ]& h4 k
-AX = 0914h (Remove SIce breakoints)
" \; _0 U2 H; G( ]
& S) e+ e" _) H0 t* ^Each time you'll meet this trick, you'll see:+ d! w# i7 P! W: |: C
-SI = 4647h
& \2 T8 X" [! H9 ^6 `-DI = 4A4Dh
" {$ A3 E, y$ ?Which are the 'magic values' used by SoftIce.
; z" L1 y) R6 H5 v" y6 [. `* Z. FFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! p* y- C0 f9 _0 e: h
" L$ u. {) T/ L' S" Y, e9 b6 QHere is one example from the file "Haspinst.exe" which is the dongle HASP; i; @$ S# x8 I; J
Envelope utility use to protect DOS applications:/ z7 Z) P$ E! E% v4 [
4 B6 K Z& |$ l
8 o/ w! [( @3 L3 ]4C19:0095 MOV AX,0911 ; execute command.1 A( S7 K g4 J. c, _7 B, V# l* b* c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& B& G9 t3 S* T& {* t" |+ S M2 P4C19:009A MOV SI,4647 ; 1st magic value.6 {' q& J7 i1 w8 h+ b6 x
4C19:009D MOV DI,4A4D ; 2nd magic value.) Z3 a, X% |4 h, {4 z4 T
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 e7 e4 M6 A0 Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ @1 J- c) [& c1 v' c8 e
4C19:00A4 INC CX
7 Q' b9 ~) a$ t. D+ T/ K5 ~" p! P& u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 {. J0 t4 O' `3 p% `& q+ d
4C19:00A8 JB 0095 ; 6 different commands.+ b I7 t" I1 q7 x2 ?8 n
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& ?/ B( j/ I' e# z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! P# N$ O$ n1 [! I0 \
8 F8 y9 V; @6 m/ B# {5 `3 cThe program will execute 6 different SIce commands located at ds:dx, which' U- C! d( L' i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., d0 Y$ ?6 V4 \
8 i! x8 P m0 M E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, k1 L$ K3 Q6 h: ~___________________________________________________________________________( [( V* q0 s: a, Q+ ]$ |9 e
5 ?6 j3 Y8 j. r( \& [/ v3 ?% Q
, Y$ q5 g( _) n' L3 [- aMethod 03
/ N% K" B2 J! o( x# x=========
* c1 g8 C( M1 o5 c' h+ [" U3 u/ v& o/ f. c* q& k! ^0 z, N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- X8 p( U; h1 E3 w! q( o
(API Get entry point)- i5 _* \2 {) X8 S, `) D8 H) x
; t2 g+ I$ O9 Q# }* N$ O! F( c
- J1 X6 k% ~0 i xor di,di8 H1 F8 ?7 n# @% U0 I
mov es,di' K" [; ^( `& Z( t) o7 n
mov ax, 1684h 8 U; E, T! w* L
mov bx, 0202h ; VxD ID of winice2 \' s) G( w1 @; X* m+ L1 b9 w
int 2Fh
J4 K- m% l0 v( H' E mov ax, es ; ES:DI -> VxD API entry point( C! Q- [9 l n1 _3 H7 F" V) m
add ax, di7 o$ A: |) C: d+ B! G$ {# n
test ax,ax+ U0 g# [! F% g9 o9 Q" L& F9 [
jnz SoftICE_Detected
6 L- K+ s8 i! V+ \9 Q- P
2 q5 b4 r, ]( s, W; s___________________________________________________________________________
/ ?# S5 @0 a9 ~& r5 s3 n) Q+ W; V, \8 p5 `
Method 04
: g( O8 y& L! p; E5 J8 v=========0 q) D& w2 ~- Q- [$ K1 m
K1 X0 G9 e- V
Method identical to the preceding one except that it seeks the ID of SoftICE
! F: Q: U: B* IGFX VxD.. e9 c. G* ]8 e. O1 Y, U
' _! K. V, p1 u xor di,di
. e" y8 r! \% w mov es,di# S! x; X6 N" }% }& V7 |; o( z* B; D
mov ax, 1684h
2 V- [1 i0 u+ b: }( Q mov bx, 7a5Fh ; VxD ID of SIWVID* a1 e$ p6 }6 x3 p
int 2fh
3 f' x& l+ ~9 M* _5 N mov ax, es ; ES:DI -> VxD API entry point
2 U7 \5 S+ @4 F* r7 s3 g add ax, di
9 Y, m' ~) _4 D5 I test ax,ax
- g0 U) J; f) d) c7 S jnz SoftICE_Detected. F, e/ Z. x$ Q/ r
$ K5 N; L- v2 U5 u! I- i__________________________________________________________________________
' }7 k4 H0 _4 e; r6 X H% X1 h9 y: l
) Z* W. D0 H, |1 H& d/ G; T
Method 05
+ K2 v. e3 @* I5 c=========7 n1 l3 z i/ G
: Q7 w1 x$ Y! P- f6 J( y$ qMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 B% w9 @ u4 ~) J7 c; mdebugger. It calls the int 41h, function 4Fh.5 @! s7 ^" c/ p2 c8 ~5 J
There are several alternatives. " y U* y0 g9 b2 b5 ~0 g
8 M$ L% A, }1 V- sThe following one is the simplest:6 l3 P x# A E8 `& p
3 v5 `, |+ c' D5 s/ z
mov ax,4fh8 T$ Z! x& M. r" o; ~' o
int 41h
g2 _/ e* l# V; c! ^! H1 m cmp ax, 0F3863 S" A$ H) ~! B; Q- L5 P9 P/ E
jz SoftICE_detected3 [5 _) l$ A( J+ {
/ q' S2 G) A/ I6 {: N6 E
# G( F+ Q6 \% [6 d RNext method as well as the following one are 2 examples from Stone's
/ ^8 D/ Q* E; ~"stn-wid.zip" (www.cracking.net):" @3 r) e2 M5 \1 C( M
0 [, c7 |2 x# y: L# _ mov bx, cs9 k/ Y1 P8 e/ n6 k
lea dx, int41handler29 J; w2 w3 F/ l) R2 r( O# ^! k
xchg dx, es:[41h*4]
* s3 E" ?- ]. ^7 w1 a ]4 x xchg bx, es:[41h*4+2]
! C& ]+ b) s+ M6 P mov ax,4fh' g0 @3 f6 T0 _7 w+ r6 |7 b h3 @; o7 O
int 41h
5 e/ L8 }% r9 Z8 f, @9 | xchg dx, es:[41h*4]/ y; c# [- O {$ d' p
xchg bx, es:[41h*4+2]: u% `/ u8 c# t" i* A+ r
cmp ax, 0f386h$ \& s$ i1 h6 ?6 h* d
jz SoftICE_detected
1 k% V! T9 G/ i" ^1 k" \% e
5 b2 u" ~/ A* o$ D- }int41handler2 PROC
, p2 a9 N! ?# J$ Z/ K1 m) l iret$ D7 P4 P4 Q3 y2 N
int41handler2 ENDP
% Y3 t* c* W5 k4 s, `: b: |- K" N3 Y: G. o% {
4 c; ]7 z* q( y; X) E; v# B, I_________________________________________________________________________8 [5 o {/ f! m7 I' e
/ w# d9 N; H; R* I0 q. k, i) `3 P: N1 J9 x) r+ W
Method 06
s- B2 d, n, k- E) t c: c1 i=========
3 O5 y% b% W$ p( `
- e2 f: P) T3 h
$ s9 e7 {1 j1 f/ ?& B2nd method similar to the preceding one but more difficult to detect:) x, w6 m% w5 n6 f# ]1 C
# ~+ r* N1 F0 i5 ^! ]& d
, w r+ r# G4 w9 ~int41handler PROC
; S3 K% _9 n" o- I5 U3 u mov cl,al. I3 k7 \0 U8 ?
iret
/ i& `( |# ?5 H! \' Vint41handler ENDP
5 O1 |) @- I: @3 y) y0 b+ P* F; l1 ?
# H( x$ e: K0 r% h
xor ax,ax
6 r9 e1 ? b* _" G* F: w mov es,ax) \" p$ F, r! @ p# T/ K$ @
mov bx, cs
0 M% l) V. p, G8 D+ P+ u2 z lea dx, int41handler
$ o6 p: ~# P" |1 D xchg dx, es:[41h*4]# G. j) b4 B3 N7 y0 G0 Z
xchg bx, es:[41h*4+2]& V M" ?2 _8 t, j& ~8 e2 Y! M
in al, 40h
1 h- S, f0 j" U, c2 |6 ?; j# t xor cx,cx
( |' w( l+ q/ k+ X% }4 d int 41h
2 |9 R8 r) ]- j) F) H* r xchg dx, es:[41h*4]9 V! x0 F: w1 W: `/ x
xchg bx, es:[41h*4+2]
0 h5 i# r4 f V* n5 F- J9 @ cmp cl,al5 U, ?" ?! z7 F
jnz SoftICE_detected
# X% V3 g# s$ O& A9 c8 e! V) |. f; Q5 c5 ]
_________________________________________________________________________- p; z& M% A0 R# m# Q- u% V9 j. J+ N
- b/ ]4 P& P2 l- W! b- m
Method 075 v& C' k& c$ M8 q* D3 g( x
=========
3 e b- |# C7 \# h
; T+ R2 \) j8 f. MMethod of detection of the WinICE handler in the int68h (V86); C) Q2 Z5 z8 w7 U. C
5 ?$ w7 a ~( b" m mov ah,43h
* U% E/ H5 w" r! ` int 68h7 |" Q& S+ P$ N. Y. g
cmp ax,0F386h6 |. l5 h/ L# q0 H
jz SoftICE_Detected
: @0 }" a& i( w5 g1 \ f* e ?; o, F5 B( r1 Z% r
4 L' F. U) \: T& v" O3 A=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- |! [) K [1 X7 q4 m app like this:
. n& E9 p$ e0 H+ @& D6 s/ u- d; k" A R0 E
BPX exec_int if ax==68. F: \. m2 Q$ D5 c! R+ L- c- r
(function called is located at byte ptr [ebp+1Dh] and client eip is9 a4 D7 x: L0 p% w
located at [ebp+48h] for 32Bit apps)
a0 ~4 }$ Z8 g3 o; o__________________________________________________________________________3 F2 E5 s2 B) u5 O
1 y2 n; f2 w, l1 ?0 {
5 K# L: j! X& O i8 M7 j6 JMethod 08
) s; N1 r0 J0 v: c7 i% I$ f=========
. V7 U0 |# O$ V/ r0 Z4 {. I2 A% _5 F/ ?0 I8 G: I
It is not a method of detection of SoftICE but a possibility to crash the5 _: j, h7 Q: |+ D
system by intercepting int 01h and int 03h and redirecting them to another" s* V% x F, G2 a2 y6 d p$ f; Q( m
routine.
. a* u; n) X- lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( l* p+ \. H4 j1 g; e- ~to the new routine to execute (hangs computer...)
$ g( N1 h$ X, B h4 v- o& P7 l+ S0 f u i% Q: o
mov ah, 25h' g9 e5 c# c1 U& q* n0 A
mov al, Int_Number (01h or 03h)9 ^% J% P; p/ G3 n+ w
mov dx, offset New_Int_Routine
% h5 r, S+ ?) t5 m int 21h
+ C0 m1 z" R* H) U, B( C- a7 ^$ A; w4 s$ l
__________________________________________________________________________/ X" h+ o4 q% R: [
2 a! B% w, q, J xMethod 09
6 L6 `7 R0 p# ^6 _3 B- m2 T3 L2 w=========9 R7 i. g0 J( c& h+ R
% A1 z8 q8 m0 c& r4 fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; b% {$ n. e& O* [% m
performed in ring0 (VxD or a ring3 app using the VxdCall).
& O# h" N8 r. [) U' g0 i5 uThe Get_DDB service is used to determine whether or not a VxD is installed- F* P Y, s' R$ N" J& F2 c% p
for the specified device and returns a Device Description Block (in ecx) for
. C) |( z" o' D/ t) Uthat device if it is installed.
, T9 J& E; E$ g* l; i2 L4 m9 M
0 w+ y% ]; `+ f6 V1 } k3 G* J$ R; i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! }# {! }: S( f9 @( G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 Q' C4 u$ Y: O/ r; L A- p" V$ | VMMCall Get_DDB! N. {5 o$ A( b. k$ V4 y' R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 s/ Y2 d- l. V6 E- P6 w4 X; \- C- Y, s1 ~: l- c% J& T. a/ l
Note as well that you can easily detect this method with SoftICE:
; R7 D2 n A0 w1 [ bpx Get_DDB if ax==0202 || ax==7a5fh4 M m A. }: ]; M
' m4 _" |8 _ P# d5 I__________________________________________________________________________' |9 o/ w6 ~1 ]8 Z. R' e
- [! R- B+ E I% E5 b3 {* v
Method 10 s* j- B* }, p, s! K! z( F' [
=========8 r: ^& e& S* g+ B ^% c
5 ]" s" c& e+ }% [4 N3 C=>Disable or clear breakpoints before using this feature. DO NOT trace with
% Y$ J, }: @/ ~0 a# W$ Y/ l6 \ SoftICE while the option is enable!!" d; @* U" e& ~% a% e- _5 {% a
+ `, N% g) h' m- X/ l0 e# q
This trick is very efficient:+ q! `) `' O- J& z9 U6 @$ _. F
by checking the Debug Registers, you can detect if SoftICE is loaded8 s, X2 n2 B% |& z1 y, w( d* j
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; Q& m" F0 r5 j% ?7 Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their# |0 [+ E% C$ S1 W( K
value (in ring0 only). Values can be manipulated and or changed as well- k6 k/ W$ b" i. e$ v! M+ ~
(clearing BPMs for instance)' B) ]$ Q% l8 P; H0 v5 h- R
+ v+ ^, `( {' a. u0 S7 M' i7 `& N
__________________________________________________________________________9 j' G+ n1 `) v
; ~/ }4 A" E* q/ e0 @6 [2 p e
Method 117 S9 w3 S$ _- }6 }2 L! h0 B
========= J. A0 I- W- [$ }6 h% u& [* M6 [) N" H
, ~) i, b) A9 w4 `8 J6 C- QThis method is most known as 'MeltICE' because it has been freely distributed
0 D/ B, g0 T" I0 z9 @3 G, k I, xvia www.winfiles.com. However it was first used by NuMega people to allow
& j1 d7 _) c1 w5 VSymbol Loader to check if SoftICE was active or not (the code is located8 ?; ^ t4 T: w* N, S3 x# a: d3 e
inside nmtrans.dll).
' f& r3 D; o3 k6 k$ v: P# m+ t: s3 m9 G8 p
The way it works is very simple:
( a# r! r4 `- sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; v0 }, ]+ J z# d- T7 h9 A7 |WinNT) with the CreateFileA API.! }, g+ [& |) [6 `! q( T" V# _ J5 n
$ R+ C$ d4 q4 {Here is a sample (checking for 'SICE'):1 Q& v8 N. _; |8 R( \
' J4 ~" i1 H5 S8 b& I
BOOL IsSoftIce95Loaded()
' A+ T; D4 Y1 T; z0 w{6 q! |4 R7 Y, l) T1 P
HANDLE hFile;
- n6 \! p* R# g: d) s2 t& N& U$ E6 U) s hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ \: s; |, h5 R' [( B
FILE_SHARE_READ | FILE_SHARE_WRITE,
8 ]; \" e8 s9 R( l1 B# [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; ?2 S$ A) {* ^; V if( hFile != INVALID_HANDLE_VALUE )
2 b' Z2 `, M3 X$ K: D8 ?" c {) I& A/ `) t: t; Y1 `7 G% i0 S% a
CloseHandle(hFile);3 }/ n& X( [( r I2 R3 S
return TRUE;
5 h% z9 \6 i% q5 ? }! F. w: C3 r' P6 L$ t0 R
return FALSE;9 U1 m6 e$ x; t0 U
}
" }& f/ e$ I; }! w- y1 i$ F
8 z4 X! s; E4 x1 g% }Although this trick calls the CreateFileA function, don't even expect to be
7 l/ R4 z/ {3 C* b1 O2 e" t. J: y7 ~able to intercept it by installing a IFS hook: it will not work, no way!
. {# B7 t7 }8 s9 X. F6 ]6 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- y! _# ?9 l8 _' i @% a4 Pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- x9 N) O& ^* T, ~* Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ `) z8 ~1 m4 v. V! ~! @7 b+ Y8 l; \5 q
field.& U' T, t$ t6 \8 e0 y
In fact, its purpose is not to load/unload VxDs but only to send a 6 u+ w2 ?6 q* w. j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 c$ t5 m) A4 x1 qto the VxD Control_Dispatch proc (how the hell a shareware soft could try. ?0 r2 m: F- _/ ~5 }9 F6 B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- ~0 p. p0 T! F+ K0 f
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 b( f! J- D6 T% Pits handle to be opened and then, will be detected.
8 X: Q" H+ v! n0 [& ]You can check that simply by hooking Winice.exe control proc entry point
4 }8 @8 i* S% I8 B Lwhile running MeltICE.
+ q, Y) O; h- z4 X$ U) _$ ~
0 m8 r& j7 L9 _& R3 I$ o
, {1 v: X1 Y- Y; k! V4 q f4 [& ]" k5 W 00401067: push 00402025 ; \\.\SICE
1 s) `2 M1 B9 u* R" d) u 0040106C: call CreateFileA
2 X) v1 c% c8 g1 J6 t( f! [ 00401071: cmp eax,-001
$ n$ G2 J0 o- }" s' [6 f 00401074: je 00401091
9 B, O& r5 s; N% }" M1 h& K0 g- T. s; t6 |! b1 X7 } D
4 a) I2 @! |7 r1 o% y9 {
There could be hundreds of BPX you could use to detect this trick.
( U( X6 f$ s e; I9 d( W-The most classical one is:4 v) }) ?, w# a7 }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! j- P* v" @( r9 \( ]: P* j *(esp->4+4)=='NTIC'2 `$ [% _( M& x
. E: _3 P9 [2 p; C-The most exotic ones (could be very slooooow :-(
- C5 {4 \4 G! i5 ?1 J5 l3 k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ l5 @ G" H, {& a8 N) y( S, M
;will break 3 times :-(
/ T) y% u! H8 `) b. ~: ~7 e! w- |! v1 x0 ~3 ^# @2 E1 Z1 b' Z0 p
-or (a bit) faster:
# Q! P4 G5 Q. O8 A! @9 e P$ B9 | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 T6 x6 i5 {' b8 L m. G
$ |/ W3 s, e5 T+ Y: D) L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! P. y5 c* e8 w: u
;will break 3 times :-(# G1 y- _. u, C; {
* ]# R y8 D& o0 [ m+ _8 g
-Much faster:8 K( Z C4 c/ w/ f
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, }; c0 B4 c" [' W' s" C+ f+ g' m+ n# ~2 A4 ^& x- `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; C3 w' f. o% Ufunction to do the same job:; A. g" M# d; `% ?2 K6 F: _7 i5 X
) K8 T' \" D$ }1 Y- F0 i+ r push 00 ; OF_READ2 Q2 j0 U8 i) {9 b7 n" o9 z4 ]
mov eax,[00656634] ; '\\.\SICE',08 c8 p7 p4 B. V$ N" Y7 `% b
push eax
, }$ B, n* c7 u% q! G F0 X. z5 r3 u call KERNEL32!_lopen- c6 T5 v9 E, A- R, s9 r
inc eax
& B9 W/ p5 V" V3 Y7 P P% b jnz 00650589 ; detected. |( `9 A& d5 g
push 00 ; OF_READ
0 D6 X v# {( G' a1 n mov eax,[00656638] ; '\\.\SICE'% ^ h8 I! Z( m' ]. I) r+ k9 z9 ^
push eax
7 ]: K5 R }- `3 j call KERNEL32!_lopen
$ j- [% r) }) s/ ~9 Y, q5 ? inc eax
: G6 \' ~8 C. T5 U+ q jz 006505ae ; not detected4 I5 W8 K8 C! j, Y6 j# _+ I6 ^0 i
/ G2 _$ R# ?+ b3 y% u2 ^$ K. p9 H
* o( ? D& E4 V* p9 H% D__________________________________________________________________________
" h6 _ [6 L. y! E; Y6 ]2 k g a- K0 g# I0 f/ ]( ?
Method 12
/ A, S, I+ O. {1 K* @4 \=========
; F& i4 X) m( v, i
" ~6 e6 k/ F9 ?) tThis trick is similar to int41h/4fh Debugger installation check (code 050 e& T- k: @; u" n8 j
& 06) but very limited because it's only available for Win95/98 (not NT)" G' U- `4 C5 f# q1 V* I" |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ h! }% c7 b a6 |; ^5 G( z
" F. X+ J% E: _% x7 K# F push 0000004fh ; function 4fh
8 x* n: F5 X$ k& _% [; m, W* u push 002a002ah ; high word specifies which VxD (VWIN32)
. k' v0 L/ d: L9 W' g2 s! E% x" D ; low word specifies which service7 R, A4 Y7 n4 g% l: e7 g
(VWIN32_Int41Dispatch)2 B- @6 j7 ?: u. n
call Kernel32!ORD_001 ; VxdCall
, G# `# ?( i2 D/ }: K) E0 B% P cmp ax, 0f386h ; magic number returned by system debuggers5 @* E j, Z/ y
jz SoftICE_detected
( x/ F; U) Y, ~4 @7 v3 V
) R1 P% }7 i9 k6 R/ b* W0 |Here again, several ways to detect it:3 s9 W V% c( g- j
6 H5 w, `- p$ S* J4 D( N
BPINT 41 if ax==4f, C5 s6 ]7 V Z( }0 L
4 n% {+ x( k6 y! ]" ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% [: b" M7 v; [( P4 Y3 | M5 \3 ^8 J, Q
9 P9 k. T- R) o$ |% S) H5 n3 G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 c% G ?' X% G' U' T9 `. a
$ k) ?9 z3 @9 L% O/ D0 v! u$ h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# K' S1 g7 Q; {+ ^5 w* X/ p
0 d# Y8 a7 Q# ]0 f__________________________________________________________________________5 [, g: S" _5 \* r
P7 j! h; O) EMethod 134 L# T" Y/ e. u! r
=========
$ D0 |9 }. P2 U& Z
9 T" @% k- B" \8 nNot a real method of detection, but a good way to know if SoftICE is* ]7 Y* ~+ j* a9 ?2 o. @! m: k
installed on a computer and to locate its installation directory.& T+ P$ r& `- i' S* ]# i% S
It is used by few softs which access the following registry keys (usually #2) :7 l/ |6 V# P" b) ?9 P
- @/ L* n0 j1 ^. k7 @& U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 E* i& p2 Z( M* |: H& j) Y% n\Uninstall\SoftICE5 e' W9 a/ [! K" ~$ j% Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, h" Y9 Y$ E6 A% }+ F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. ]# f! F! d- O1 x9 }9 {$ K5 }, B8 a\App Paths\Loader32.Exe
0 O) m! J- g7 |7 K9 ?3 A5 k) \4 y1 Q o) |
- y, m) v! f& X+ q3 cNote that some nasty apps could then erase all files from SoftICE directory
1 v! T5 j: `+ B; o: ](I faced that once :-(
/ O0 [/ n4 u7 ?- g( U& v9 A/ w& q' C1 U+ Z$ B
Useful breakpoint to detect it:
3 ]' b/ d7 d/ u; P9 }3 ?# E! x7 O- L5 T0 v& P
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- F9 @' t8 ?* x q; f/ `) j, a" ~2 Q) b" Y+ W
__________________________________________________________________________
% f* z/ A; I0 R+ a3 g- R2 B
3 z; @# d: I6 Z. }+ k8 q, \1 t0 e6 y a8 [# H/ J
Method 14
( Y( g! P7 B6 A: t/ f2 _$ ^=========$ E8 E5 }( W& V N* r1 c, x
W4 C# }+ M9 I ]. g% wA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. m/ ^; G/ ]0 x; E# I j
is to determines whether a debugger is running on your system (ring0 only).
- w- A- l" V9 X; ]. D R: w& J6 w9 f' g8 ]( g6 R, D
VMMCall Test_Debug_Installed, n$ T; e3 a& D6 T% Z9 M; k" o
je not_installed. d& m7 D4 z# K) e: j
% N8 r- C. c, c' Y" U! a
This service just checks a flag.. w/ H+ k# p4 u+ R% G
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡