<TABLE width=500>
, n$ k. D5 u, R4 I4 y3 U! S<TBODY>& n# B G$ |8 i2 C P
<TR>& E; _7 o: R( Z6 n& [- Q- s
<TD><PRE>Method 01
5 U! r0 b B3 d' S- k=========
- D. z3 p! G) T! N4 {7 Y: W J( w5 D: X, u4 D
This method of detection of SoftICE (as well as the following one) is
9 M+ ~, j/ I! J6 Lused by the majority of packers/encryptors found on Internet.2 ~( t: K2 K# B9 \7 X! K4 }. v# B$ {
It seeks the signature of BoundsChecker in SoftICE7 P. I' v. Z$ f/ e2 y1 Y' R$ w
6 @: s8 e- _. k4 c2 o1 L
mov ebp, 04243484Bh ; 'BCHK'3 m5 N) c) J# \# f( F
mov ax, 04h9 ^9 x) v X+ G) y. b
int 3
* Q6 O% q6 o/ w, f5 } cmp al,4
- J! w* N" q* j' M# | jnz SoftICE_Detected" r! E0 d5 s7 Y- x% ]
' [! F! B: f. `1 q4 O2 O___________________________________________________________________________
3 q2 a% F( D) Z* o2 E* u
; G2 t* C \6 o6 Y* f7 zMethod 02
0 }/ N* g# B* B5 p+ E I& k. o=========
" R% p$ W" m! ^# i5 H
# O( d" O$ @% {$ HStill a method very much used (perhaps the most frequent one). It is used
/ m2 q4 h6 c! i, O: Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: P: ? l& P, ~
or execute SoftICE commands...! G! k2 T" D% k
It is also used to crash SoftICE and to force it to execute any commands( c$ q! J6 W4 x
(HBOOT...) :-((
* s" e6 G8 h' j( A6 ~& S+ M% \1 ~9 [% D
Here is a quick description:
. s S8 d' M. @! f- Y4 q& p-AX = 0910h (Display string in SIce windows)
/ s5 p3 [2 p# R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* G# @4 X, u, v9 Z, R' D2 q-AX = 0912h (Get breakpoint infos): r' W) W) F% V
-AX = 0913h (Set Sice breakpoints)
; N5 c5 i! Z4 \9 u# E-AX = 0914h (Remove SIce breakoints)- r$ a7 e2 H" K) B- `) y
3 G! ` [. X- ?
Each time you'll meet this trick, you'll see:
M" ^( k( D& r/ j-SI = 4647h
- R! l2 S4 A$ r) E. ]-DI = 4A4Dh9 c; Q/ N! ?- F$ X6 E" G
Which are the 'magic values' used by SoftIce.+ r: F n! ]3 N% w# Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# q) I: A& R& E- X- _" u
8 D0 g9 ^+ ~: i% w- ?- ~: LHere is one example from the file "Haspinst.exe" which is the dongle HASP
( W W F( L' JEnvelope utility use to protect DOS applications:. H0 g4 P$ b( I" z
. Y: L1 o7 h; [2 e. x) D N7 I0 i' \. R* ~( q/ u, f4 D
4C19:0095 MOV AX,0911 ; execute command.# N/ `4 C2 f" |, m8 s& b5 c$ f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- A4 G* T! Z# E1 S8 _4C19:009A MOV SI,4647 ; 1st magic value.
- L" _: z V# L+ F0 w2 D4 Q4C19:009D MOV DI,4A4D ; 2nd magic value.
5 a- m+ J( l6 H& |' H8 R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- p0 {# X( h8 O+ Y+ @8 Z1 ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
\8 E! o. v0 @! H, J$ j4C19:00A4 INC CX
+ L) E9 U/ n( L7 y* Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) g" F R, k5 m! i. m( o. j
4C19:00A8 JB 0095 ; 6 different commands.
! g9 d6 A; T7 j) `4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 E6 `6 _8 r- W$ q6 s! R6 ?" u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
L% {; R6 s2 J0 n8 r9 Q
J+ @$ ]) ^9 C$ p3 x+ ?) ~) m2 p lThe program will execute 6 different SIce commands located at ds:dx, which
7 |& E4 I5 M$ I2 J6 D* Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 o4 I* ^: f1 B! `1 t ]& D1 E. ~1 n
* X1 ?! [7 J6 G! A0 n! P6 r/ a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: g* e' ], c5 l- W. T- `2 r5 G; N
___________________________________________________________________________; j. r: h* a, B
# w4 }0 j L$ V' E9 g
5 t* Q% Q6 ~3 x6 M% b2 YMethod 03+ `6 u& r$ c& \( I8 `
=========
' q5 R [& S: s6 k& o8 _5 q3 i( [( J& I( J, A: j
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, |2 @, F! y+ T6 G/ |$ L3 d* n
(API Get entry point)
; Q# N) |( M: n ) a9 V d/ O1 D4 e
: ~; q7 W( @ R- l- c
xor di,di; J: l+ M& `" [( U
mov es,di+ K" w! f% f3 m3 `
mov ax, 1684h
9 ]4 y9 A# ~7 N# A2 P mov bx, 0202h ; VxD ID of winice
0 k! P" @. `" y( ]# l* I! k; _ int 2Fh
2 Q. l' w5 C9 }2 x& c8 ]0 C0 B2 U mov ax, es ; ES:DI -> VxD API entry point% J" r3 n2 _1 X7 d
add ax, di
0 E+ R x; C$ U" T- r2 o! z' Z/ ` test ax,ax! f% B$ l8 [! I2 v9 A$ y
jnz SoftICE_Detected
6 D% h& s" [' l5 W& y
! ?& Y J+ ^0 ^0 `$ Q( a+ S___________________________________________________________________________0 c( ]3 U5 Y) m& ?8 I7 `. ^1 i& K
! b8 L# h4 {/ K) D' gMethod 04, a3 [- A3 k# e8 d% z# W
=========+ S2 k' F8 t, A8 a! V* R
( h& k: `" S- ^; Q! ]7 w& W7 qMethod identical to the preceding one except that it seeks the ID of SoftICE
9 P& K* L# x. yGFX VxD.! A% Y/ V/ h; ~, R
- r" p) B; C0 l# z- C2 r6 G' Q
xor di,di/ L; E0 Y6 \% r, C
mov es,di
( Q) k2 ~/ W7 l- H: k+ M7 E mov ax, 1684h + Z7 C% L9 F$ z2 V; j/ ^
mov bx, 7a5Fh ; VxD ID of SIWVID! t& r. ~; L$ O! L* t3 L
int 2fh
, y: T& b) @8 d/ M% m mov ax, es ; ES:DI -> VxD API entry point
\( H' `/ J: V8 G! x# X3 t add ax, di
V& V- `6 K: s test ax,ax
N! R1 @, N& D. i( V jnz SoftICE_Detected
1 g- d/ R7 b! {5 a; |$ w1 _
' Y7 o0 H/ I, E& ~, Q F5 _6 A5 N__________________________________________________________________________
7 X8 r* D$ E( o( V/ a9 D% o6 C O: B7 p) _ B
& K" k( v! ^5 F& ?# a4 f$ FMethod 05( c& t! c2 N* F0 u) {+ S' B
=========
0 w+ b! [" T9 Q* u# B2 Q y& H, I C& h/ c
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ E( u9 f4 H' m6 [! z" Qdebugger. It calls the int 41h, function 4Fh.
& q1 l8 X9 b0 l X m1 `, ~+ gThere are several alternatives. - v0 f, ?/ Q* X
1 y/ _5 a3 Q7 k: n4 @. j; J, ]The following one is the simplest:8 C/ [8 [% [0 A
. D# L6 t' d& H; A0 E' L. ^# f
mov ax,4fh
7 T/ f3 b) m' n8 I1 a int 41h: l! b, m$ Z1 f: v" J
cmp ax, 0F386
7 s! b- ~3 L% f' R! k; X jz SoftICE_detected
% v" \* }) V8 G4 \1 }% _' L7 W
! R" P. r1 l. N/ [& I; F; ^7 m; q3 o2 p! G
Next method as well as the following one are 2 examples from Stone's
R; W$ [3 ]5 J( f; t"stn-wid.zip" (www.cracking.net):$ U/ U8 O" U# o
* k' V* R8 u- ~- f* b: } mov bx, cs
8 a: \8 O/ F" _1 p3 v lea dx, int41handler23 D h9 A3 Y S$ l
xchg dx, es:[41h*4]
. B3 C3 n d$ ^- w1 g* n xchg bx, es:[41h*4+2]1 V: c6 ? E5 u: ]
mov ax,4fh
) d# H& p$ x$ ` K) n6 Z int 41h
( l, |3 l# }# S- Y( \% B7 Q xchg dx, es:[41h*4]; k9 }" H8 M: r' _
xchg bx, es:[41h*4+2]
' v2 S3 _+ |( O' q8 l S cmp ax, 0f386h! q9 `4 z) ~- }6 n, w
jz SoftICE_detected
+ W- ~2 R! d2 S3 E3 _
2 P' W0 Z. b0 R1 Y: K( [" gint41handler2 PROC
; l/ N- C5 I7 {1 }+ o8 T iret% D' r1 @! [- j8 m: R5 M7 X
int41handler2 ENDP, j7 y4 D" W& e7 v1 t; [
5 A5 @: P) b- \5 Q( |/ B: Y/ `
1 X# c) O7 S5 \0 D& [
_________________________________________________________________________. G$ W3 d& \1 l0 @( h0 P+ z: p
0 {5 g4 z4 ]" M4 n# \9 m3 a+ C: s w& G" E; p; t
Method 061 w9 ^* k+ S# P1 O* F' A
=========
+ p" y# Z- H& b% w: k7 S7 s6 W/ W5 R
/ D7 S9 K: ~: d! D, H E T2nd method similar to the preceding one but more difficult to detect:
1 i2 Z9 V3 r7 B9 \$ L" ], p
" Q$ Y6 B5 `4 b) @+ m y
\1 ~" @: o8 d- f# W! rint41handler PROC# K! e# h/ \# f1 Z# r
mov cl,al6 G+ w7 c' p/ J- d9 w, `# L) G
iret
2 ]5 `4 o6 {0 w6 g" `6 x6 h7 w5 |/ Mint41handler ENDP! n; z5 G; y# z" P
9 m+ ?- y, X' Z# b) e
+ ?9 C* D! s8 U( b4 n, j xor ax,ax% w( V s; o4 G8 s# q
mov es,ax
( z9 G# l$ A) U! s mov bx, cs
# ^1 i8 L. u: A* V* I F; p lea dx, int41handler' l, x+ J, R/ |2 \
xchg dx, es:[41h*4]5 t; U! [. j1 D6 [
xchg bx, es:[41h*4+2] j" K, m; r5 v) Z- W# q
in al, 40h# e! u8 M/ e5 ^
xor cx,cx
$ M. O9 r9 @# N' O2 a* m l int 41h, u- \6 w" J' M7 t7 J
xchg dx, es:[41h*4]
1 G- ~3 [$ x6 f- ]- y, _% Y xchg bx, es:[41h*4+2]' z: U4 M4 m4 A* {$ k( u
cmp cl,al
8 {5 `9 g, E# T) @' [- R# z jnz SoftICE_detected
; l1 ]' e' u. I" G% _1 B0 b6 K+ W3 K# a; w0 p! f
_________________________________________________________________________$ q2 ?# Y& A* r
1 @2 k7 @+ k/ `) o& J g
Method 07 _; O$ G% @( R( V- }7 v* _9 h
=========# n* @# S% T. M! B4 w
7 ]7 l$ n5 S5 o! w2 `) H$ hMethod of detection of the WinICE handler in the int68h (V86)
4 Y( t3 }! |- d* t
% F& g a* C4 e3 }. z" E mov ah,43h6 v$ D7 |- y* [; X5 D. Y' w
int 68h
& r8 T3 v: G7 J+ S6 P+ |* t3 ^7 y cmp ax,0F386h
, h! c( e: v. B) g: ]; T jz SoftICE_Detected( r/ T0 M0 X& A* k$ v9 c6 A9 K
1 m0 X L3 c0 r/ J
' K) t6 N- X/ Y3 O4 t7 }& y' _=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 }- j+ p' w3 h) S1 w2 x; w [5 ?
app like this:6 M" f4 _3 s$ E9 F6 ], y
6 G8 m( N& L5 [7 x v3 h# n BPX exec_int if ax==68/ j2 {1 k6 `3 `. |
(function called is located at byte ptr [ebp+1Dh] and client eip is
0 _% `. l0 u y1 t" l* u9 v, ` located at [ebp+48h] for 32Bit apps)1 D3 F- k5 K4 W9 Q1 f
__________________________________________________________________________
1 p; @& N$ W7 V g# P9 f5 e3 Z8 }
$ T1 K1 j) {2 |; r' y' a, z% v# k' O
Method 08* X# U' M" X+ `) _5 T6 s6 @
=========; H. L) k& M' A* C7 V4 e8 B
5 I8 L: ?0 L, f, [: z- s
It is not a method of detection of SoftICE but a possibility to crash the
5 r X5 u% l3 @7 m+ ssystem by intercepting int 01h and int 03h and redirecting them to another3 |5 P- K) c; ]4 n" B
routine.
; c l8 |2 E! z) G/ E+ z. B8 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" R, b S1 q* p$ F- b+ K- P- dto the new routine to execute (hangs computer...)7 @ T' V) j# w9 p
9 `2 D. y" W }# p# V8 A7 M
mov ah, 25h
8 M1 K4 p D& V) w; s J% ~1 y# X mov al, Int_Number (01h or 03h)- ]: A& g2 A4 J# ?2 N
mov dx, offset New_Int_Routine( W5 W5 l9 S0 r
int 21h, [1 y5 o) B2 s* Z, M
3 x3 z7 k, z. h" q3 Z' q8 H/ E
__________________________________________________________________________: @; Q. A5 d1 D) Y* d9 Y
1 Q2 X$ x( Z9 |- D% R/ _
Method 09
8 a3 A* |: ~* Z) w2 U; {% u9 m% `=========
; J6 T9 W6 c% G$ v, N
6 z% v+ ~! F. A- S) q# p: DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: i0 A4 D; A9 l' W% C2 f
performed in ring0 (VxD or a ring3 app using the VxdCall).
! i5 K3 Q* n# l T4 K8 gThe Get_DDB service is used to determine whether or not a VxD is installed
6 f7 v( b/ j4 T" l3 H, Yfor the specified device and returns a Device Description Block (in ecx) for, m3 `8 n5 [# p) D4 G1 ]
that device if it is installed.
2 H" l6 \/ s7 s" l% ^
/ e4 [2 f6 x% n( H6 M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& j# [1 ?& k' ^6 F0 P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- J8 |% [4 ], C
VMMCall Get_DDB
. b- ^" g" L8 r# r7 o/ }& B3 | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* `9 h( e. i, ^& @5 c; Y
7 ~; ~9 Y- C( tNote as well that you can easily detect this method with SoftICE:
3 {. X1 G6 q. P" p" P+ D bpx Get_DDB if ax==0202 || ax==7a5fh. u* b- j: e" t( \6 P/ |
8 A% S/ M: v9 _! ^1 x__________________________________________________________________________ Q/ m5 y+ b- q3 j- r; @
' l% z! [1 h& L+ y" e9 O( BMethod 106 ]4 b2 w. h! v5 _4 u: y
=========/ Y/ M0 p3 Z; z! S. g3 L( q6 K Q. X
! _3 v& Z2 B9 m, o5 T
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 a! u3 |4 m. B2 m& L& v
SoftICE while the option is enable!!
/ c( ]/ [0 r1 Q7 ?) q* a: l8 [, l! g
# v6 {/ R8 N/ X- S& E' C9 D, cThis trick is very efficient:2 X7 V* S* ~* F; n6 K/ _7 C1 e
by checking the Debug Registers, you can detect if SoftICE is loaded! i0 ?2 [6 |- w3 F, ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 R! Z! u1 w& @; `2 J3 c1 `
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 [/ x9 |, Y# p2 N# T( gvalue (in ring0 only). Values can be manipulated and or changed as well3 F8 D) }2 a" Y. E
(clearing BPMs for instance)' m5 r& b5 p5 I, ?( H- T) R
- w- X5 l2 M; c* `__________________________________________________________________________
C' m+ d& ?) m7 X8 `( J3 S, X6 b n+ V2 D9 _
Method 11# Z- p: S- ~6 k' t8 z
=========
) K* g6 V- M# F$ O N$ Q& L0 {9 e& ~# B' o. T; E% Z
This method is most known as 'MeltICE' because it has been freely distributed
G! A) A2 j: i G! h7 Y3 ~via www.winfiles.com. However it was first used by NuMega people to allow
" Y- h. F# E" Z3 MSymbol Loader to check if SoftICE was active or not (the code is located2 j/ a {# y# |
inside nmtrans.dll).
- V1 A; B) h0 {2 w& F( i
4 X1 g5 t& Y4 v" O+ C$ rThe way it works is very simple:
, X6 T8 f% [: P9 d2 IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 Z# m% Q7 p% j
WinNT) with the CreateFileA API.9 F0 `' E7 D! ^: a/ ^; h
6 G' f' K" f0 m( CHere is a sample (checking for 'SICE'):8 C& X" I; t* w. f
4 D4 i$ N" c# V- U' b& i
BOOL IsSoftIce95Loaded()
8 I- t3 k0 R4 }8 z i8 ^8 C( f{/ Z* k& n; K( U8 B% K
HANDLE hFile; , c% `5 e+ B3 H% s% q$ X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ w6 |+ _7 G, K# h! S: S% e
FILE_SHARE_READ | FILE_SHARE_WRITE,0 h' O2 N( T) _4 f; @1 k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 P2 D8 M9 @3 X$ E7 y1 x7 G$ H
if( hFile != INVALID_HANDLE_VALUE )
9 N+ k. Q5 Q6 J3 l" w {
) s- `' m' Z/ S8 b5 h" K7 N CloseHandle(hFile);
4 E4 B( X) c% F5 T+ y% q; l! f5 C/ q return TRUE;
9 @8 }& G' U, p# v5 o2 @5 } }
6 `& l9 r5 X- h {& F8 u- [; _ return FALSE;3 a9 G3 K9 v& z" ]; n/ Q" r0 @
}
+ D5 p: k Q5 [. c/ c
+ z/ }* u5 m6 T ?+ x! K3 TAlthough this trick calls the CreateFileA function, don't even expect to be
2 e% X t9 m, ~/ M$ ]: T* fable to intercept it by installing a IFS hook: it will not work, no way!
6 k9 j0 z! J1 U- UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& `& ]7 }7 p& v% s* w8 r% q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( ~$ s7 v o6 E$ rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 ?. J3 S; S. F0 b& A: Dfield.
/ U# x& K: k8 B# h. @# hIn fact, its purpose is not to load/unload VxDs but only to send a
8 y3 Q% W) p- O$ @$ @7 W* ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ U. q7 j9 D) m. C2 K- Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 B: S3 W3 n* P2 y( y- b; @9 k( Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).! o" a0 b! f6 W8 _
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& z7 L" {8 u4 G) f4 oits handle to be opened and then, will be detected.3 s1 @8 ~. A0 A
You can check that simply by hooking Winice.exe control proc entry point
, R P, u8 S' u: l9 lwhile running MeltICE.
$ B# b" j' D+ k+ i4 }; I. y; X/ v. Q* ~. c
" t9 @* O0 F: t" r
00401067: push 00402025 ; \\.\SICE
$ l( p" t1 M5 h3 P3 V% n 0040106C: call CreateFileA% y7 Z% b9 G+ F) S
00401071: cmp eax,-001( u" u7 J- t+ Y. T, T" g4 |
00401074: je 00401091
* T- Z7 |* d) s# Q9 C0 u8 S0 l
+ n- @% j1 {- W% f; p: |
9 x9 s& c! V" O/ M) f1 L/ _There could be hundreds of BPX you could use to detect this trick.
: r9 D, |# T# [+ J7 G1 {-The most classical one is:# n8 }; R" D6 k4 b6 ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || ?+ S0 ?/ I4 h4 m* r
*(esp->4+4)=='NTIC', m; X6 x1 |* b+ x
. m9 L# _) N& Q
-The most exotic ones (could be very slooooow :-(& m( U1 h! e1 d' r/ [" }7 ?
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 a% j2 n8 z0 t! \% a- Z% t ;will break 3 times :-(
?* u$ h J, i0 C9 M8 h" M1 f0 |) M( g+ n! R: P$ @1 Y; W+ \
-or (a bit) faster:
o/ G. O5 t' A2 n' q! D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" C8 k" Q# ~! k0 r( E9 z* w' E
4 K8 n6 p( ` a- j" {9 l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ M9 L( I$ D5 E ;will break 3 times :-(
) X" f" @" T. x- H/ Y9 F3 {) a5 V7 J3 @8 T/ G6 ]
-Much faster:. r2 P2 h |. [( h' B4 V+ ?0 Y7 r- r: t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; V x, u' i3 Q' a9 D# U, |- B
6 b4 _6 P5 ]8 V. B* Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ t% I% q/ ]8 S9 k9 r% B5 V! J
function to do the same job:
/ b# M* b8 B" { i' l
1 }/ y: S# c6 R* \. h- E push 00 ; OF_READ7 o* K1 T+ k: z4 b* ]0 n
mov eax,[00656634] ; '\\.\SICE',0$ F) W4 R% Z/ c: p. q
push eax( M; n$ F6 ^; X4 P. p
call KERNEL32!_lopen
0 R0 {$ W; Z1 K% m% [' ` inc eax1 S5 q" f$ F' u0 I; W6 b/ s
jnz 00650589 ; detected- {5 }2 W, h7 J4 j0 ^8 d
push 00 ; OF_READ j* v6 D. Y, y
mov eax,[00656638] ; '\\.\SICE'1 T/ r( V+ R3 y5 |
push eax$ K+ k4 a" @) m6 |- I3 M3 C6 _
call KERNEL32!_lopen
. m6 r |0 ?+ P. d5 y8 T( q inc eax
# t: n1 U, N" C: c2 F jz 006505ae ; not detected9 {; j/ h9 C+ Q0 p
, C3 k! `+ F S. k% A% Q) j) W6 t( H
__________________________________________________________________________
: D2 H* s# Z6 f. E- A4 Y5 J& L1 q8 u I' Z$ @5 I9 Y* C1 N
Method 129 l5 S. N( a+ l# p" w9 d+ |
=========
! n$ U! r P5 K; ~# h b
" {# _7 Z4 X- e4 t4 z) Z2 e/ KThis trick is similar to int41h/4fh Debugger installation check (code 052 |0 P) O$ p8 ~6 I
& 06) but very limited because it's only available for Win95/98 (not NT)
* q( G. W! a7 x8 Y* Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.# e6 t% g' U% R8 }
9 ]5 s7 K' ?' `2 |% Y
push 0000004fh ; function 4fh
& y1 E6 r. b$ h0 r8 l: v% u push 002a002ah ; high word specifies which VxD (VWIN32)" J! B. q: l, Q
; low word specifies which service
. a% |! g( M. a (VWIN32_Int41Dispatch)
/ S& M# O3 V& X call Kernel32!ORD_001 ; VxdCall8 M2 X1 X7 u& G
cmp ax, 0f386h ; magic number returned by system debuggers
% Y4 u9 ]( H0 J$ d- B4 a jz SoftICE_detected p/ }/ |: h. f0 Z# h
- @) t& U6 a7 w6 W/ J5 g
Here again, several ways to detect it:( U T; i' S* T5 j" c+ e2 F
7 N- F0 m$ B7 ^1 H BPINT 41 if ax==4f
x7 _. J5 q' k8 t+ K) U" e0 l
k& P0 I7 E' X7 @6 W6 h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ b7 @: e# |3 `2 z8 |: q* y3 Q$ f; K( w% b: V, O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; a0 z' k9 A4 R6 a$ I; ^* ~, q( q9 `& |& {1 T( p5 E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! @" y) i, l s
6 i3 Z1 a- i( j, N__________________________________________________________________________
4 z+ x' V% v% L) e; v; c, C
3 B. Z8 K9 `' w7 b* s- _0 bMethod 13; D: ]9 V1 q6 B( g3 @
=========' n9 M- \$ [# ]6 f5 P
; ]2 {% `/ N6 i8 l; H9 B
Not a real method of detection, but a good way to know if SoftICE is0 F1 d# k8 f! q) `8 u
installed on a computer and to locate its installation directory.5 v; m5 S; f+ ~5 e
It is used by few softs which access the following registry keys (usually #2) :" y# `4 l4 C! G/ d5 U6 {
' c9 w/ w! J6 p7 B" O5 |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ z1 e6 u4 u& t\Uninstall\SoftICE
! i2 `! Y0 X- B" b" R2 |# X$ K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 }+ S/ S: ~4 K+ _' V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, D7 S7 f2 Y& T4 Q
\App Paths\Loader32.Exe
. {) ^, K' W/ ]; t
3 q3 P. }0 F% u% R ^8 y! ~) c
6 }& _ Y; U( \Note that some nasty apps could then erase all files from SoftICE directory' H! R- X9 `3 H
(I faced that once :-($ N4 k6 k# C* l) I1 t1 M- S
' R- q b0 ~' q$ ^Useful breakpoint to detect it: d( H- B/ b2 L, r' h0 ]
$ H8 s3 l5 X' s5 j, [, |, `. n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) l0 L: g. U: a4 X( n
2 W* k2 _4 f( J" `6 Z6 v" z__________________________________________________________________________
' z; ~; n( N; o& O5 g) t; I& `+ C8 t( j+ `7 _ ]5 P" R- U
2 f5 Q c! m0 n9 V
Method 14
% n" I8 Q" b; y. O4 q$ d1 t=========. F4 E8 }6 u, N w9 t v, s c
" Z. F" ^. u2 e+ D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 W" n2 T2 W+ c3 f! Iis to determines whether a debugger is running on your system (ring0 only).
9 w' M1 O1 s9 L" q4 J* S/ L0 ^
~) L$ D9 _, E/ k VMMCall Test_Debug_Installed
$ r9 p0 m9 X' L# p6 D& u4 s je not_installed3 L# b: L) W3 \& }- K+ m
7 r; }$ ~# b! L
This service just checks a flag. ?: U4 s/ V4 E/ d) E6 _8 k
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡