<TABLE width=500>
6 C7 g; ^( O$ F' o<TBODY>
, b* f. f) s4 Q6 D6 U<TR>
0 L$ C9 i6 B# W" k# x<TD><PRE>Method 01
9 T6 u5 E" Z6 A8 ], Y5 u=========9 K) T0 n& o$ Y2 n7 B S
' r4 ]% O; [% S: ]This method of detection of SoftICE (as well as the following one) is
0 z% g5 P$ d0 \, Yused by the majority of packers/encryptors found on Internet. ~ f- q$ ^. L( x$ G& D# s# _
It seeks the signature of BoundsChecker in SoftICE( j9 Y6 g% d' z8 U# Q. g7 C& d
x: T/ ` N4 F! N$ i9 E4 f Q mov ebp, 04243484Bh ; 'BCHK'
* }+ A, P! A2 H mov ax, 04h& g ?8 M1 W+ B" [% I
int 3 ]/ ~! G6 b) I- v/ N: A
cmp al,4
1 Y" a6 }( g: v( ]3 L l p9 ^" h0 ] jnz SoftICE_Detected: F$ G* }. ~- i$ Q0 }
! X" p, N- M4 a9 m& _2 R
___________________________________________________________________________
, j0 u+ X" t0 i0 w0 v0 E# k
, w+ ?. p, T" |Method 02) ~5 s5 L' D: W' k% R- O
=========
k" I+ c& ~% w
. B' i# q3 } ^0 ]! d& dStill a method very much used (perhaps the most frequent one). It is used
" L* V1 b0 V- Ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 X/ I+ H, {; i1 for execute SoftICE commands...: h5 h/ N# {7 S" B u8 i9 W6 ~2 ]
It is also used to crash SoftICE and to force it to execute any commands
1 q' ]- I! a( A3 l# u- A! A$ z(HBOOT...) :-((
! T# x/ u7 t2 x2 P4 J# q" S0 l$ |
5 I3 [- g$ d& Z, sHere is a quick description:
# _+ {( t2 h; o# H% u-AX = 0910h (Display string in SIce windows)
- Y5 s& Y9 ]0 b6 P1 R9 H# S7 J: p/ z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ n; F! S) l. T( X
-AX = 0912h (Get breakpoint infos) S M1 v0 O8 J4 {. Z3 X8 y
-AX = 0913h (Set Sice breakpoints)& q# Q# I/ v( o; N, v" Y+ _+ @
-AX = 0914h (Remove SIce breakoints)
: W9 ^6 h( g( R& \2 S
g+ v+ |- ?) d/ b9 e. `% lEach time you'll meet this trick, you'll see:
2 {& k+ f6 A5 a$ H; H! i-SI = 4647h9 L- O% V. z- L) t
-DI = 4A4Dh
2 {( q" ^2 }; kWhich are the 'magic values' used by SoftIce. q: D* O+ b1 ~* |4 m6 s8 s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- w: F% D5 } J& x) ]1 A
+ K! E7 ]7 ~! z' CHere is one example from the file "Haspinst.exe" which is the dongle HASP
' P9 d7 m( ]/ Q# m2 Z( L6 fEnvelope utility use to protect DOS applications:& h% K6 } q$ {" k" m) P3 u
/ T! O% Y: [, j3 e: h. f! ? u3 o, D5 r2 f* K" a4 j: d
4C19:0095 MOV AX,0911 ; execute command.
2 P4 X2 r7 v$ `. n0 i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 v# t1 x- J. r d2 J4C19:009A MOV SI,4647 ; 1st magic value.
2 X/ T- D8 ]- W O$ u4C19:009D MOV DI,4A4D ; 2nd magic value.# w. a+ z- e4 Z! u7 F' n ~2 L, J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): u$ ?! C+ I4 s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# y- E) c3 ^0 B
4C19:00A4 INC CX, ?/ f& p. r" Q8 F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( Z; l- s" [0 E0 d2 D
4C19:00A8 JB 0095 ; 6 different commands.& y; \; f- o$ U3 y/ Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) U$ ?: M' f8 z! V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# {- T9 q, h d* _3 q
) _* O1 ~0 E# [" lThe program will execute 6 different SIce commands located at ds:dx, which
( Q1 I3 Y8 C C( w- jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 i) ]' l, `" U4 C- h, Q1 c+ w* K' E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 ?5 T+ e2 D4 N2 T$ n0 O
___________________________________________________________________________0 T7 u3 k( s f3 ~
3 X, Z' S% q; z; A0 v0 a9 @
( c: z" n0 X! Y! D
Method 03
* u, w" l- p3 @. x( y4 Z/ m9 b6 ^========= W3 |& `2 q1 N% B+ R
- D! {; P4 z/ U7 c% S" ^# ]# Z5 GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h N( P) n W8 g/ ~* [6 M; h, i
(API Get entry point)
- ?+ Z' z! e' _, I
2 P1 n% D. c0 E& Z
8 e- z p7 L3 E3 J; ~5 J; s6 s" X xor di,di- T6 }# Y; g" N6 t4 H' F# ]1 P0 |
mov es,di
( u9 ^2 ~' X0 g1 D8 k mov ax, 1684h
1 h2 C9 \* l7 V) _: N# _3 D mov bx, 0202h ; VxD ID of winice$ h2 y* p! X6 h) m
int 2Fh
& g* v; u- o0 p$ p- }3 E8 q mov ax, es ; ES:DI -> VxD API entry point
, ^7 |. K/ ^1 a% ~ h" e/ [3 S add ax, di" N4 y+ l) U1 M- p; W# D
test ax,ax" g# |: ]$ x S2 C# i
jnz SoftICE_Detected- `- G H7 u# ^; F/ \2 @# y
( s2 c# r2 E, @; z___________________________________________________________________________) r' l. p% k9 ?5 x; @( i
+ w) D# @' S" ^# }* W; N( ~
Method 04
% x# N! y$ q! z- Z$ o=========
. V, M0 N9 q: J V7 f# ?5 C( S1 U/ ~: q2 E0 D% K
Method identical to the preceding one except that it seeks the ID of SoftICE; g, g6 p9 `. C. z' T( \, j' B4 T
GFX VxD.6 e& q3 l% x9 U+ j
3 X5 ]0 ^, E7 P3 M5 |
xor di,di
8 q8 I3 S9 b8 |6 O( R mov es,di) R% e# w- a: ~2 f( L$ v
mov ax, 1684h 1 q3 @* z6 w H4 c2 S" ]
mov bx, 7a5Fh ; VxD ID of SIWVID; \! t& L/ I1 o# z. d1 W) o
int 2fh
7 u3 N- \) `6 D- D3 e" O$ z/ r1 a mov ax, es ; ES:DI -> VxD API entry point9 W, _0 l5 D7 H8 A& K* c
add ax, di
- K% l `& v/ I/ w3 h$ P% @* v test ax,ax
0 n O' h/ E$ q6 S7 H6 ^& o; u, u2 F" x jnz SoftICE_Detected1 M- d* o+ `" J- V, }' I
: {$ b" [, @# S+ y( Z
__________________________________________________________________________' U' ^5 o7 |/ x, H6 c
' m2 R0 E4 E+ A1 j$ Y
( A7 {1 ^/ N5 C5 \: H( @0 n+ f0 X
Method 053 C6 d' F* P L2 L
=========
- v* E4 w" L( l- X3 p0 H1 ^: T3 P2 q, g- x% r) g
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 O, H" c8 c6 |% G# h1 C/ _debugger. It calls the int 41h, function 4Fh.
1 H \; \% x, M; o& D( ^There are several alternatives.
+ a) K$ y5 W7 }8 j% Z3 s& E0 y5 ~1 U8 J3 P
The following one is the simplest:' r; n9 A: F" e8 c* G g% x
# D T' t: w' v. y _' |4 q( G/ i mov ax,4fh% }) |) V8 c- D2 n z
int 41h# x. Q4 [9 j+ b! T3 f
cmp ax, 0F3866 m3 b! H4 R) r/ s. d3 }, j
jz SoftICE_detected5 X `" v3 L8 k* L- Z% J
/ _# _, a/ G- \ x
1 ~% Z8 o: J$ g; w! w5 M
Next method as well as the following one are 2 examples from Stone's
5 ?2 u7 b$ @' s"stn-wid.zip" (www.cracking.net):, w4 l+ D: u8 y! _, D5 t4 u4 [
4 E9 E7 ?5 t( u
mov bx, cs
: q' x. j4 o- G3 E$ j/ m! b lea dx, int41handler2
. a0 R% `8 i# c- W xchg dx, es:[41h*4]7 s6 j9 @4 p* D1 q% B
xchg bx, es:[41h*4+2]
7 R6 p8 @1 X' q! F$ h$ k- Z7 W6 x mov ax,4fh1 G: N8 Q" v4 ^. O
int 41h' t. y& @* ] l6 Y! F' O
xchg dx, es:[41h*4]
R6 b% z) a) g0 L, E7 L xchg bx, es:[41h*4+2]2 Z; U/ S& j9 y8 \" w0 h; I- V
cmp ax, 0f386h( D. v9 R+ C$ i9 |( N" T
jz SoftICE_detected$ ~ z( O( r% y- o" Q& `; s2 p
. d: K8 {! r8 J6 g8 R
int41handler2 PROC
3 B0 h. o/ I) C; c! x/ d j2 Q iret
) b0 J- N: M. Jint41handler2 ENDP4 t. s" T0 r: U; O7 `, f
R" H+ L7 R# G, J, g6 Q' Y7 \. y9 ^. r8 z8 T$ T7 _: n6 y
_________________________________________________________________________
% T3 `& A+ M8 T, ?5 P7 Z, W" n2 B9 t- Q* t
5 n4 Z* t# q, h% }+ O5 qMethod 064 [* R& a( r0 B5 I) S
=========
; q. L# E$ U! A
! f& n% Z5 x9 P4 r' J& `* z- m% \7 t: i h5 O2 |: c. Q2 N- ~1 P
2nd method similar to the preceding one but more difficult to detect:
- o1 ^( M1 N$ Y
8 L/ k. I2 Y0 c* F: |+ j5 r( p2 L! e# w8 A5 ]& T
int41handler PROC# Q5 o$ W, |7 X+ T& m% z+ Y
mov cl,al
4 w$ f: E$ }4 k iret
: {8 h7 Q' A8 b/ B" h/ x3 g6 Xint41handler ENDP# e9 w. ~* B0 U- o
3 ~& k" ?% O, C. N) e& {( i/ f/ R* A4 `4 J; c
xor ax,ax( M5 n, g( W! p0 D" i0 D. d6 O' n, @
mov es,ax1 _7 f2 Q1 S( q1 P- x5 ?8 X
mov bx, cs
8 S5 E: n9 J6 k" D: X lea dx, int41handler
; R0 ?1 @% j! a' S. Y xchg dx, es:[41h*4]
3 p' x/ V+ L1 Q% |1 |% L xchg bx, es:[41h*4+2]
1 I1 d# A' ^1 Y) A in al, 40h3 L, w; o* N& O
xor cx,cx
# U( O/ P$ D4 [4 [- }6 _0 h8 ` int 41h. f* y& F0 z. \" x5 ~) F6 {' N
xchg dx, es:[41h*4]
4 n: ^; H3 Y- T$ o xchg bx, es:[41h*4+2]; [0 `- K& y' k9 q- S* M! P2 v
cmp cl,al
! c1 [2 I* J* y, v3 z3 S, H6 g jnz SoftICE_detected
5 B7 X) Y; n9 u7 m1 t! D2 m5 u% M9 v# W# t. \1 E
_________________________________________________________________________
0 e. {6 g, q- Q3 r
p2 B( ~, Z0 m4 m6 F5 T! oMethod 07
( W8 k: G" ~9 z6 ^$ L' W& I' B=========
9 _9 q& E# H' f3 J ~5 D/ W: h7 p& U8 f% j3 n
Method of detection of the WinICE handler in the int68h (V86)
1 Y7 D8 V; e! t4 R1 s
3 ?* k$ _2 U" H* k mov ah,43h9 j" i7 s- P7 r: q
int 68h
; G) d: s& o0 ?6 _' s i, U) X cmp ax,0F386h
3 x9 P, I: y2 d jz SoftICE_Detected& A- O2 `% l& C+ B8 L1 a
3 a1 D& f/ m, Q3 b8 ]% z/ y4 Z) A
) C) P1 D% p s9 r2 I1 L1 O6 @' @1 [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! F0 X4 c! D3 |# X$ N
app like this:
* @) N( j' e4 F& A |; Q1 g4 y b, f" u1 \% t
BPX exec_int if ax==68
X4 ?* l- A4 c/ m6 c$ T* K+ k (function called is located at byte ptr [ebp+1Dh] and client eip is
' o' }- g6 F: t2 ?+ O located at [ebp+48h] for 32Bit apps)
, u3 g+ L! A0 l) _( c) G; t A1 p__________________________________________________________________________" s n% l, \+ L3 u: u4 q* k
& f& [; @4 p& x7 ^% w+ e- K
* c; V; \1 ~4 u1 ]+ NMethod 08
' s+ ?" O8 c$ k) U3 p2 y/ J2 L+ b=========+ Z8 i1 f/ ]" N& a; b" }
( X5 D( b% V4 c+ t) l
It is not a method of detection of SoftICE but a possibility to crash the6 h; W: `) a) n L2 z$ x) ^
system by intercepting int 01h and int 03h and redirecting them to another
8 ~. ^# s2 c8 A. G& J rroutine.6 S/ r2 \* @ a+ f# B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 Y; L# A; X9 qto the new routine to execute (hangs computer...)7 G( |6 X. Q1 A! N1 @
" e$ V5 a( E4 T; j2 K
mov ah, 25h6 q# P) ~! k- d2 \
mov al, Int_Number (01h or 03h)8 H4 ~6 U: B( i2 c' h/ d
mov dx, offset New_Int_Routine/ {" Y5 j% b' `$ Y$ P# Q
int 21h
/ b7 G# a6 j/ D3 L) r( P4 A) `' I% a" j# s0 W) e
__________________________________________________________________________- ~) o) V. t( t
t9 z4 i! g- {2 e5 qMethod 09
4 S+ A9 i# D8 z$ H; y=========
. K+ [4 V" E! k2 o: L$ Z8 i: |- V) B4 n" P) ?3 J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' E" l+ Q! P. hperformed in ring0 (VxD or a ring3 app using the VxdCall). o; @6 H0 t3 \, L+ `
The Get_DDB service is used to determine whether or not a VxD is installed$ u$ M) h; x: g0 C5 y- v0 A' o' p
for the specified device and returns a Device Description Block (in ecx) for
$ w; {% h& _: Vthat device if it is installed.: A$ _; W* \& j; X" C
; R/ F' C6 K# A* Z& V: H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 f0 `. g. R' `. L V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), \; s/ N( _ B) |( y" ?- |
VMMCall Get_DDB- G4 ?6 v2 s: G/ R- z" \. {" c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 r; P, Q5 @' p* X/ ~+ r2 E; }4 E9 \: n6 n, J; n: P8 ~
Note as well that you can easily detect this method with SoftICE:; b9 E2 R* u& D2 }' e$ O4 M7 l
bpx Get_DDB if ax==0202 || ax==7a5fh r+ o# R- B# c+ \
: v$ O0 U& }9 d/ X; T__________________________________________________________________________
) Y2 l8 _0 B. b8 I
n3 u: M: y4 L' RMethod 10# `. o% y5 y2 v' C1 H, L( ?7 l D) [
=========
- Y2 d' f( u+ B Q4 k3 X; K
8 u$ M) P, B; A2 M=>Disable or clear breakpoints before using this feature. DO NOT trace with% B/ I, l' m/ e
SoftICE while the option is enable!!
! ?: L6 | L* U- P" u
% D7 J. A# J7 P1 ? E5 `7 MThis trick is very efficient:/ I9 [. @/ \! G6 {# S M7 ~
by checking the Debug Registers, you can detect if SoftICE is loaded: |# D% n$ w1 C0 }$ d" R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- m4 f6 j: E% m" Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their+ M( \; o+ m: y3 J6 ]3 w- P
value (in ring0 only). Values can be manipulated and or changed as well
7 L4 |0 x8 B7 a4 l(clearing BPMs for instance)
2 ^9 B9 C+ e6 e: ^- n$ |' H' _/ a9 b* }- a) S& z
__________________________________________________________________________+ ]& O2 E6 @+ l; _# K5 O, x7 B8 k3 R
6 W: ?1 U- F7 W) A5 J
Method 11
8 `& i3 Z, Z; j% C6 S- a1 y8 |=========* D8 V5 b& I4 n9 v7 y! A* M; u0 O
) ^- n" ~. i& p8 pThis method is most known as 'MeltICE' because it has been freely distributed; B6 @# j! m/ C- J* H
via www.winfiles.com. However it was first used by NuMega people to allow
2 H2 i& D/ J* G% C% HSymbol Loader to check if SoftICE was active or not (the code is located
9 n- k) H. Z- n$ ?9 n- w! cinside nmtrans.dll).
5 B! _: k' \ }. R, e8 Z
2 U9 s v6 ^4 w- C* d8 n4 YThe way it works is very simple:
$ z [& C% m& g/ ]- `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 d8 t# X+ A2 j7 ~$ V: ^4 f
WinNT) with the CreateFileA API.
; O1 F: z2 `$ E' h. k0 E
|/ F6 v8 i# [Here is a sample (checking for 'SICE'):
3 l' U- @& i9 N# o: C+ E' l/ P d5 D! l0 P
BOOL IsSoftIce95Loaded()
+ A* O0 k2 l7 V( H{8 L$ \$ v5 k3 S& k1 I
HANDLE hFile;
' Z, g2 w0 l) o$ e P hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; B6 D1 X+ G( q
FILE_SHARE_READ | FILE_SHARE_WRITE,/ R* Y" z$ Q4 ]: H' k* D6 g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* q6 c9 x( x) x
if( hFile != INVALID_HANDLE_VALUE )
' H- m; g: F$ M, `2 ~ {
P8 X& O0 t2 I; R5 y1 a CloseHandle(hFile);& ]9 ~1 a' k* S) ^7 N+ c7 [& J
return TRUE;1 Q1 T& g' U* }1 r
}
" ~& b9 T) v3 E) R7 L, R" Y return FALSE;
8 Q- J5 i; e: R* X. J}& D# H6 o7 V1 ~* p! R8 p; ]
# T) q h0 Z* l7 C; P4 e" X) o; h4 MAlthough this trick calls the CreateFileA function, don't even expect to be# t* t: q" o/ E R
able to intercept it by installing a IFS hook: it will not work, no way!8 V( V, D& j1 i" K: z0 L% Y0 r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 i- s- o. ]5 q1 x5 {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% q2 z9 ]- P ^6 Y8 u$ G8 jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# Y, E7 ?* x! ^; kfield.
5 x. R' `3 {$ W8 [. {In fact, its purpose is not to load/unload VxDs but only to send a 4 `- r* z7 ^, k, F! v4 d. P3 z" q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 u) p, Z( a& D/ X* @4 R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, S2 Z0 n1 S+ _+ u0 [to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" o4 M3 `' k7 \ m2 EIf the VxD is loaded, it will always clear eax and the Carry flag to allow
) n, N, ?! `$ W' Y5 Zits handle to be opened and then, will be detected.5 O& d. D2 n8 [1 O: d- F" Y, q
You can check that simply by hooking Winice.exe control proc entry point7 d1 v2 z1 U0 L. N
while running MeltICE.2 C }% o t9 h2 m
- K, C! R8 X" d; q& z
8 \/ B- _* a! O5 I s! |) {2 r* a
00401067: push 00402025 ; \\.\SICE% ?4 I) S6 {2 ?- }" I5 C( x
0040106C: call CreateFileA- u; V) ?4 k2 R) k, B2 H3 y
00401071: cmp eax,-001$ v3 F8 a5 c4 e$ t R
00401074: je 00401091
& @5 h+ R4 t' W5 B1 Z$ O
; ~6 o" S. x h* h
% N) Z! y1 _& l4 UThere could be hundreds of BPX you could use to detect this trick.
+ q' F: K- A3 P6 |: a# Y# M2 m-The most classical one is:
% V& @7 Y7 ]0 D. @8 U) N& a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# h1 O# t: t4 T$ J, a *(esp->4+4)=='NTIC'
: y% k E2 U o) @' c- m! S1 c; @* O2 c" ]! @) M" I
-The most exotic ones (could be very slooooow :-(
( C. `% z: T& y1 [, z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & B/ v1 R7 p5 z, w
;will break 3 times :-(0 y5 p" |+ J% ` E& p% S0 \
A9 c9 f' E: ?/ r( f9 P-or (a bit) faster:
# C$ ^9 k' D! Z2 j% A' k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 M/ y+ ~: v) G# U
' I* I5 n J, B6 V5 X: V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 C( E2 b5 L! _! ^" H+ V! s$ A
;will break 3 times :-(
1 r- ?7 W s" z( U2 D; a4 G' o H% R/ A& c1 D3 g1 b
-Much faster: @& Q2 ]! s& L# u* O
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ [$ V6 F/ Z# E6 L6 O
C) O5 S' c# E: \8 Z& ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% q3 M$ X& ^) Z! S" A6 w; N
function to do the same job:
. h9 t3 ]) f8 \ f4 i1 F) U! B8 b* k4 B( N v }: k& n* l
push 00 ; OF_READ
3 n' M3 o ?2 q! O7 X h mov eax,[00656634] ; '\\.\SICE',0# `# K) L. Z' R6 f1 [
push eax# u3 w5 t8 L: A4 v+ Q+ }- B
call KERNEL32!_lopen. I0 x4 J1 ]9 K) t% |
inc eax
; d& _" o9 f4 \, v) _$ X5 r, h jnz 00650589 ; detected
7 n" l$ z( u/ L' j. Z( c push 00 ; OF_READ
& R5 @# c& s3 [- g c$ F6 \ mov eax,[00656638] ; '\\.\SICE'
/ B3 E! W) ^/ t, P: G- w# W9 Q push eax
9 K8 @* v9 i4 Z* z call KERNEL32!_lopen
( Z6 |7 m* R6 E0 B+ } inc eax- B- Y/ Z: G0 c s, y7 W
jz 006505ae ; not detected
, C. Q+ k" X! b9 x- z! D8 i- f
$ g2 U, V& v, a7 G3 s- R- ]6 M
% x- H0 @+ Y- _4 q__________________________________________________________________________% D3 k! X+ R# k
. s; z6 H9 n" n, E* sMethod 129 `3 P6 i) Q; Q) b4 m8 a
=========4 j# j7 ?7 Z, `
Z3 M1 u& e4 i& w( _7 i+ g$ mThis trick is similar to int41h/4fh Debugger installation check (code 05# V x6 H0 s; {! n5 `
& 06) but very limited because it's only available for Win95/98 (not NT)* K u1 W. |2 L( V* Y' X% E+ K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% T' v( M' U4 T7 |- j" Q" t
) a/ U1 O5 C) r! |! K- C0 h
push 0000004fh ; function 4fh
& v5 V2 G8 O$ F- C, w( v push 002a002ah ; high word specifies which VxD (VWIN32)9 T7 J+ J) N& Q; k* T' h3 n+ W& n
; low word specifies which service
7 M$ G3 N, M. A) X* L: S (VWIN32_Int41Dispatch)
* I; }1 I) p4 Y8 z call Kernel32!ORD_001 ; VxdCall
, |, L( o1 [, V# l5 C cmp ax, 0f386h ; magic number returned by system debuggers
9 Q! K0 R" |. S2 k% W jz SoftICE_detected: O/ @" d8 }" p/ F
. C2 t* r. M; k3 ]; S: aHere again, several ways to detect it:1 ^3 p/ f' R3 Q1 J+ m! T% @
% s9 m) i- ~7 h3 s5 n
BPINT 41 if ax==4f, ]; I0 Z/ e! S% U6 t' t4 u0 r
# E9 i) u& c$ { BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 N; S8 w. s) d& r& W0 N' ~
" ~: b5 x) Y3 |; j- _7 r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ S: [% L/ }9 e" M( _
' Q, ^. c2 W2 b5 c0 E# X! Z, a3 X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 Y5 d3 m1 w! `" V1 {6 n) O! l% y$ J+ K) q
__________________________________________________________________________
- H, e- n. W% Y% ?; v! N; a) S) c" } ?" p9 B/ o
Method 13
) W# V7 s7 Z6 [. s% o=========9 X2 A, a& a/ b! O* ]% }; O
# L5 D1 q; b" a( ?: k. c
Not a real method of detection, but a good way to know if SoftICE is
& i8 I* |9 N) B8 R. ?" d8 Minstalled on a computer and to locate its installation directory.! w0 n# U# q$ z4 V/ R, P
It is used by few softs which access the following registry keys (usually #2) :
5 a s% g4 b' T7 k6 ]9 P* \
: z$ Q7 B7 ^, [; Z G& I+ L9 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. J8 F9 F5 _: b) T6 M\Uninstall\SoftICE
0 b9 G2 |( s9 P6 |% K3 r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, B! E4 R+ i+ D- U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 d* |# n# k" d# E; \$ b
\App Paths\Loader32.Exe3 G$ [1 w6 v/ c- c& N5 y
9 `. O& T3 n1 M6 z2 d+ L E
: h- M3 S3 ^6 ^% m/ e8 }' N
Note that some nasty apps could then erase all files from SoftICE directory* e3 s1 ~. K3 ]3 {( ^7 w: {# x
(I faced that once :-(
5 I2 a& Q* f. `2 {' q- o
/ I3 _# l1 m: A |% R- ?! x* v* VUseful breakpoint to detect it:
0 s. u$ L: ?; D- X5 I/ ?- _) c2 P8 v" A, h7 D: J
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') W/ j; L! Z% ?0 u
4 _- f! @ v5 k) @
__________________________________________________________________________# s: }' N9 l& a" K6 a
2 r& g* d5 U5 y9 T; }! H
" B3 B, g2 J, p% f& cMethod 14
6 B4 j, t- t! G( D9 `4 R4 }* p* C=========
4 ~( L% m/ ]( s* S) U
2 N3 {4 z; w/ _. @5 ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, g% A# v6 N- J3 l
is to determines whether a debugger is running on your system (ring0 only).
5 s( u, ^4 ?; J+ C8 O/ s, }8 `. C5 i0 u. I9 k: M
VMMCall Test_Debug_Installed( y& f( }8 G4 J: j* `
je not_installed
# T) P. G3 d' t: W; e$ [! {: f. p# U
This service just checks a flag.! }( b# c: T- A/ \3 S
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡