<TABLE width=500>9 V+ F/ b6 R) s4 W3 [
<TBODY>
4 F# G' Y' K" u9 L( d<TR>
" B* J- V/ i9 o& m<TD><PRE>Method 01
* G: u! c. x0 v) Q9 b: j=========( L, _2 }$ ^- a" m d6 i! ~2 Q0 J
, I5 R: f: k3 a, n$ EThis method of detection of SoftICE (as well as the following one) is
4 o' \5 t) P( _+ V' Pused by the majority of packers/encryptors found on Internet.+ G) x5 g6 e- k
It seeks the signature of BoundsChecker in SoftICE
8 Y( Z2 ?. Q+ v* e; y& J: e0 }% e% q5 W K2 I- h
mov ebp, 04243484Bh ; 'BCHK'
/ ], ~* J8 L6 [, y/ {0 ^4 w mov ax, 04h8 }+ u8 w8 B _# y; A; r
int 3
. S A, h3 M; ~3 f) f cmp al,4
5 O: M6 a3 {0 x0 f9 p2 [2 e" F jnz SoftICE_Detected
! P# h: ], P% h& y' W3 u" p) H4 z g" x U& V2 B0 S
___________________________________________________________________________
$ ]; r5 v+ o" j2 W' Q
" b# H; R! ?; g$ r8 FMethod 02
. F% ~- s# E r: A, _$ Q) L=========5 {2 L% T% o6 ~. p/ l
- N- a2 M- D+ U& VStill a method very much used (perhaps the most frequent one). It is used( ]" N9 l! L$ E2 J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 z( Q: ~7 ^$ E, x2 ror execute SoftICE commands... U. t0 l" b; r, ^5 X
It is also used to crash SoftICE and to force it to execute any commands
. J* i. x; w2 P2 C' Z8 d(HBOOT...) :-(( 9 r) f' N& b: B) y& a) P
, W2 V# s' D# i! z) s j/ `& Q' d: nHere is a quick description:+ N: S' q0 _8 m, E/ Y/ X5 l
-AX = 0910h (Display string in SIce windows)
6 S) S4 w8 k) H1 b2 n' Q( Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# I# c" {5 h! T c4 J-AX = 0912h (Get breakpoint infos)' r( M6 t- w' f8 p9 M2 r$ o% O2 S* g
-AX = 0913h (Set Sice breakpoints)
: `* t! D3 f9 t$ ~ J4 l-AX = 0914h (Remove SIce breakoints)' P" |" @1 z W( v# O5 `
: \% T1 n7 @. q1 |
Each time you'll meet this trick, you'll see:* ^ Z$ Y i$ T/ j: s8 S
-SI = 4647h9 O4 V: |( F; {4 p6 P8 J
-DI = 4A4Dh" ^+ W1 W9 G( x7 V
Which are the 'magic values' used by SoftIce.: |1 W! K/ p' N- x1 v; b, ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
g' w. g: P1 H2 Y: p8 U' g i) N
Here is one example from the file "Haspinst.exe" which is the dongle HASP( S. J% @& p( L$ s5 V+ E+ W
Envelope utility use to protect DOS applications:; R! z- M% g1 ~% g0 s: D; R
" `' D" U* U2 d
6 T1 w M* |. a
4C19:0095 MOV AX,0911 ; execute command.
1 G0 K* l+ x. ~) f. k0 w) z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 X$ G& S) @- t) p, Z g
4C19:009A MOV SI,4647 ; 1st magic value.( m; A# C2 S3 c) R p0 v$ s
4C19:009D MOV DI,4A4D ; 2nd magic value.+ ?, a0 e- |9 R$ Q2 L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* k" V" W1 D% S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ X1 T! R( o# y+ S0 z* v% z, B. q% C4C19:00A4 INC CX! J. {9 {3 P8 S/ W8 b
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
v' J6 I0 [& u c7 V% Y4C19:00A8 JB 0095 ; 6 different commands.
& z( f0 U' t- Q2 N* T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 t' i' E( V8 F6 n1 @( C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 J, C0 ^" {5 p$ l( V0 ^& N. `
, p, O/ q0 d' M V- ^$ ?! K9 |8 k
The program will execute 6 different SIce commands located at ds:dx, which. N" W M2 ~/ H, q% q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 Q: M0 l* Z. J% F( }3 S% X/ y. b
9 H: {5 P% D$ q- u3 ]* o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' m: N9 c- m6 k___________________________________________________________________________& a: _6 s3 I& M. B! H
' j$ l- r. f/ J# a1 W4 A1 u ?4 U5 Z. {& L
Method 03* Y2 a7 r% O+ ]6 Z ^8 R
=========( `# z. e4 Y7 k- G
- F4 p) i" {- Y- w" s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 s8 [; D+ O9 H0 u
(API Get entry point)7 z* H# Z% @+ |1 p2 S% I% X7 e2 ]# a
# a9 |" u. J+ W; o
: S0 Y3 @! l/ n! ?2 | xor di,di
1 {0 W& ]. A: o2 B4 Q8 H* q& o( i$ Q mov es,di
8 o: ?- m3 U- ?: q7 L9 J mov ax, 1684h
( _) U- g, j4 H mov bx, 0202h ; VxD ID of winice* q3 C) E# r q! l
int 2Fh
- {/ L" s! b1 `3 W mov ax, es ; ES:DI -> VxD API entry point
$ V" Y5 d( n$ y6 ~ add ax, di& {6 ]& ~% t. U0 ~2 u! C
test ax,ax
9 J6 N& v' w; }- d- ~ jnz SoftICE_Detected a& z0 m+ h& ^# E8 w" i
* ?& d* ?1 w0 T. W, }$ d k& ~0 j
___________________________________________________________________________
- L1 p- C3 D, }& n
% X9 V5 h5 l* D$ [, t" T rMethod 04
, E$ e! z9 V J" {4 l$ \: L=========" v$ Y! J5 o0 \* j, s7 e! Y4 U
( M2 T- ^7 b) t' L1 {# @
Method identical to the preceding one except that it seeks the ID of SoftICE+ H$ f- w8 N2 o( q. k
GFX VxD.: v) }! X5 |6 A- `5 ^! S ?5 @" P
( X. N L# W: G xor di,di
' V$ \! V6 l+ t% b' D3 o3 _- q mov es,di% M5 g6 p& h8 w- O% A
mov ax, 1684h / m4 {; }9 k+ @9 e) ?
mov bx, 7a5Fh ; VxD ID of SIWVID
! S6 F8 [: _& K/ k# O# s int 2fh4 y4 X6 k. F6 g8 o. W
mov ax, es ; ES:DI -> VxD API entry point
' T& r% N5 h: y1 N) M, E8 a8 J add ax, di
. O8 k5 L/ l, L/ Y test ax,ax0 U* M' [- y8 v g. A& a
jnz SoftICE_Detected8 s: y2 g4 R$ U) b$ |! P
6 A0 |; G: d7 J, `) K* X) h" c- M
__________________________________________________________________________
9 W! G8 l8 I9 x% m$ {& [
) }, J x/ H* @. w. a1 @) _& B' o1 U
& R M% i' q8 v; `Method 05" x& ^+ U! b7 q
=========
3 O, ]0 I2 S2 H+ Q D" W# ~- N
8 X" V# L1 n+ I1 Y u+ wMethod seeking the 'magic number' 0F386h returned (in ax) by all system1 e+ S+ h. V$ T1 b" Q
debugger. It calls the int 41h, function 4Fh.. V6 W3 J" x9 L0 ]% V3 u! H# ]
There are several alternatives.
" Z @/ m; G& K& c/ L9 d' F5 S1 r$ J& u( D N, K* x* ]8 E8 V- ?
The following one is the simplest:, F$ m; _2 c4 t+ @
# j% T, O- {2 q+ c# P7 K
mov ax,4fh2 A% @7 `( R9 W$ w4 i7 O9 V2 T+ E
int 41h7 v8 V/ k3 t6 M0 M3 S3 M
cmp ax, 0F3864 a- L' z+ m0 M4 S/ j; F; ^, c9 P
jz SoftICE_detected# v6 H3 t! Y9 G: l
( F- |2 g% g: W2 x( M' h6 ^, @! e m1 a' T/ O
Next method as well as the following one are 2 examples from Stone's 5 l5 O. M( S7 T/ j6 s
"stn-wid.zip" (www.cracking.net):1 y8 G! D: u' k9 G) P: Y+ C5 f
- L+ u; c! V% U2 r/ x4 V& n" a9 x mov bx, cs% n N$ G6 j! {0 k% k$ i: C: T
lea dx, int41handler2( u8 b- f" C: g+ q& l
xchg dx, es:[41h*4]# m( ]! j4 n) d7 h4 w
xchg bx, es:[41h*4+2]- N! l( h" n+ ^
mov ax,4fh
& i/ d7 L' l [. i9 U int 41h
9 N; J7 {! m1 I8 d0 t/ e' ~0 R xchg dx, es:[41h*4]
$ ^' u; Y- @2 E5 K( G xchg bx, es:[41h*4+2]
( l2 g, |& o: U8 \7 y. P4 r# k cmp ax, 0f386h! p$ l. u% X- P0 j1 u
jz SoftICE_detected
) R F p( F! [
- E& }) i! [/ f2 Pint41handler2 PROC
, P( p. t. X- P ~$ L8 S: B iret3 U0 g6 A5 O4 O9 O
int41handler2 ENDP7 [% ]# T. x; X- T3 k- R
) c/ z# ?7 d) X# }" o# G' J# }2 Q6 O8 b) T+ d# y+ T0 u% m
_________________________________________________________________________ R4 U" L, y) g! H& \5 a
) P4 Z+ @. O R3 Q+ i
" ?# t6 S% e' F$ r, FMethod 06
1 _" P. ^1 h- O: u=========. s1 T. E+ A5 t' k, }3 x8 q
" n9 s4 P3 ]; \
4 x) K/ s, v) P2nd method similar to the preceding one but more difficult to detect:8 M0 \. `/ P: R( ]) s
5 j2 @0 E" D, y5 E. ~
' s9 N6 W2 _7 J5 v+ }3 T
int41handler PROC6 P% x: U5 H8 |; D' n) h" H1 p
mov cl,al
b7 n" D( \- i4 {/ I! D+ _6 \ iret( F& t, z# W( F
int41handler ENDP
4 z9 a' J1 y$ c5 I4 t2 v2 A7 p' b
8 n$ h' o: |. D, z6 g9 d6 B
" [5 u; o$ f- X, V* G5 W' s' Z xor ax,ax9 q+ k- `5 |" K( N. s
mov es,ax
+ F3 U& H4 \: \# ~/ ~ c- u mov bx, cs$ G4 P4 `0 R3 F) o
lea dx, int41handler4 D8 n! o' k! [8 U1 f$ o7 p0 T
xchg dx, es:[41h*4]
; R& q, P: m) d! O! Y- V xchg bx, es:[41h*4+2]2 [2 \! m% r/ O$ p- x) Q$ {
in al, 40h
* ?8 o6 Y0 X5 L- V5 W9 \ xor cx,cx
+ A& {" x/ e/ q% s' Y8 N) i. _ int 41h
s6 n. b5 x, s0 G Y" F; J4 \ xchg dx, es:[41h*4]
/ T$ f6 A2 x- w) w7 v+ u xchg bx, es:[41h*4+2]* O) K3 w) w1 U1 P/ L, d
cmp cl,al
9 \9 k6 d$ J3 k' _/ q# F% l7 P jnz SoftICE_detected
/ C l4 X$ J0 {( W) U! ]: u1 ~) n1 e1 S$ |& V
_________________________________________________________________________
! ]3 V7 M9 P+ g1 p! q9 q/ _
/ P8 ]- j2 _4 o- v F2 e* OMethod 07
* [8 H" k6 c9 b: P& }. Y9 _=========
) L, [4 R) L6 C+ ?; g
4 T: K9 I( i3 F/ X0 gMethod of detection of the WinICE handler in the int68h (V86)0 O) }* X" D3 J" _0 u& z
; ^ c- x3 O2 ^% }6 U5 |0 w
mov ah,43h
. p8 k: `4 X: z int 68h2 A$ f/ U N% V: \& a( `" {7 v
cmp ax,0F386h2 t8 A3 N5 b, R2 y( q" E* P
jz SoftICE_Detected9 K1 A* o5 W9 L0 Q5 m0 W. S
) f$ M p5 @8 A5 j8 n7 e
- t3 W' ]. @2 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, W6 }9 R( [$ M. F. }: s6 e
app like this:6 K( r u/ z E
' @* J1 h* z u8 L/ { BPX exec_int if ax==68
8 {$ \$ t! a. c3 \ (function called is located at byte ptr [ebp+1Dh] and client eip is
! M ], _1 c6 f$ E6 C located at [ebp+48h] for 32Bit apps)2 H! A( M: g8 ~% x: M
__________________________________________________________________________) @& \) C" Q! w s, o- C4 A
9 j* ]/ M# ^1 ^ ?; \' g" J% u3 P- V6 d
Method 088 P; ` `( m! N) v
=========/ q) u Q8 [# g8 o) s7 ]
0 l1 u$ L4 @- Q8 \It is not a method of detection of SoftICE but a possibility to crash the
2 A% X% ?: _# @ ?+ Q& D* W' bsystem by intercepting int 01h and int 03h and redirecting them to another( \0 h" E* j1 T U
routine.
$ A6 D2 P: o1 _: K" C# _. b9 IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ K$ Z3 A3 f' }9 \to the new routine to execute (hangs computer...)
6 b1 v8 X, N' l$ Y' b P' ]8 H4 ~7 g9 R; u9 L) J% a. F4 N6 c
mov ah, 25h: x& B3 E1 ?0 P6 M& |- o* A- R
mov al, Int_Number (01h or 03h)
) E( `4 d1 t# V' S* ^' K- O; u mov dx, offset New_Int_Routine7 |5 W5 Z$ f9 W6 G% v( a, r8 e/ d9 z
int 21h
$ n) |9 [8 u- w, C p; d# w5 o% b: m6 @: y; P# v; y: M
__________________________________________________________________________, E1 O" G `- p4 M
1 ~: F7 ^. O7 W! H2 O) pMethod 097 n4 `4 X3 h' J" I7 X% s! ^* W* M
=========
8 W! m. X1 i1 I) q/ l7 P! g$ K% q! D% V- ~5 C) S
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 a: R/ [* Q0 Lperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ }! D) e* {! C7 w# x+ d2 FThe Get_DDB service is used to determine whether or not a VxD is installed0 Q0 `" W9 q$ y% o7 Y! g6 H; t, e+ X
for the specified device and returns a Device Description Block (in ecx) for+ ]* n9 L/ i4 P. O# U* l! h7 O( U
that device if it is installed.* C6 ?7 b, A9 T* G- L
+ z3 V$ ~4 f! p6 }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID i1 S& Z- N! b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 L) S* v& B1 d0 m1 S$ _ VMMCall Get_DDB* ^1 ?2 K8 r2 h9 g/ ?: E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- b/ U/ C' C8 e7 n
; I- w6 t* _( d5 ?
Note as well that you can easily detect this method with SoftICE:
" W% x. n0 d0 E0 Y- j9 R bpx Get_DDB if ax==0202 || ax==7a5fh" F3 p( X6 Q$ L4 C0 S& q0 a, N, `
! }# q& l; l: I+ {3 L: n4 l3 Z! M
__________________________________________________________________________
9 X' J8 g; O6 s/ x- _* c5 z' O9 t- x+ p: I; y
Method 10
4 P8 O8 W" f, o2 |3 A/ S" ?=========
2 s) R- ^3 G- F
4 L: A- y( `, \=>Disable or clear breakpoints before using this feature. DO NOT trace with7 c4 ~- X) B- ]
SoftICE while the option is enable!!
7 t. z$ ~1 w' Q
7 C& k6 _: Q0 ]# l8 R& s& `) iThis trick is very efficient:
/ q: Y6 d# k( m( `: K( _by checking the Debug Registers, you can detect if SoftICE is loaded& J$ n$ O3 d5 }+ ?) _3 I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. X' U9 m5 c) X* t( X0 v
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 T- H8 ~9 A, V1 b8 r9 {* B
value (in ring0 only). Values can be manipulated and or changed as well
$ d1 E2 w4 @/ M(clearing BPMs for instance)8 ^* l4 g' Q9 s
, C# g Y: h$ M" a% m; R. H__________________________________________________________________________. x& G& ]! Q" f* U
+ u+ N. \! [, ]; k/ O- ^+ _6 Q
Method 11: A/ d( L' W3 R
=========
9 }' _1 [# X- _) x8 c' X! O3 h A3 o1 _- B7 v3 |
This method is most known as 'MeltICE' because it has been freely distributed: B8 C% H' \5 B/ @/ F' c, W
via www.winfiles.com. However it was first used by NuMega people to allow
7 ?+ O1 }. M" T2 ^, q. u+ a/ sSymbol Loader to check if SoftICE was active or not (the code is located
: Q- h- W& x- z4 f6 v1 h5 J, l& ginside nmtrans.dll).: V- L' \/ }, ]5 \4 E4 X
( n& q: M: ?- d+ aThe way it works is very simple:, Y9 r2 I9 \2 S8 e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- `' y2 z9 q# Q9 |4 C' ], r( Q6 Y4 T/ VWinNT) with the CreateFileA API.3 S7 ?1 ?# ]2 B0 G; W7 D7 {. p
! f8 m! ^0 J& \. a \
Here is a sample (checking for 'SICE'):4 o" R* A6 e' A( `- o- v3 B
! j# V3 N7 _# M/ y2 b$ R6 ]BOOL IsSoftIce95Loaded()
3 F7 ~' T$ v D6 N0 ]' ?: K{
; i+ n" W( W& g9 F HANDLE hFile; & V% g5 m# G: s' m1 h6 e! x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. c& m. u( o* C' g
FILE_SHARE_READ | FILE_SHARE_WRITE,& f4 v9 z5 L% ]; c( @2 z* P& D1 K
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 o) k) W) ~; ^
if( hFile != INVALID_HANDLE_VALUE ): i! M$ {" \5 Y; i' q
{2 {4 k7 D# C6 ~* r
CloseHandle(hFile);+ u4 i3 T+ p* b" `
return TRUE;% l; y' y4 X& Z% L- y
}5 B* x( C9 S! v" P( ?
return FALSE;$ e2 `) e" u! M& E9 t. t; g
}1 c$ \) V$ s5 D( P; a
5 x4 m; [+ Z' y% `. N% f
Although this trick calls the CreateFileA function, don't even expect to be$ _! ]1 H/ ~/ K/ k$ b
able to intercept it by installing a IFS hook: it will not work, no way!
) V( Z% X, a9 d1 D# d9 r% ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 Y0 `) J, j/ ?
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% f7 {- ]" m5 S3 S0 cand then browse the DDB list until it find the VxD and its DDB_Control_Proc; v5 V) C0 j. d# h8 C8 H
field.
8 ]7 E5 g# w7 W0 ~: r- JIn fact, its purpose is not to load/unload VxDs but only to send a 9 P. _9 A, S; j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 N' Z2 b5 P' c9 j; o* l# Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( A4 O& w. x, i% n9 u5 ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 D; Q; s2 y9 `( M [
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# C8 u0 y) H9 p: Aits handle to be opened and then, will be detected.
i% N7 h' f2 _8 Y* x, uYou can check that simply by hooking Winice.exe control proc entry point
: F& D% b5 {% a6 }& ~4 p& g- y7 S- n6 lwhile running MeltICE.( U9 b: J# Y) K4 l* j% d
; \+ [) Q7 S: H5 H
# C& x( u& U1 L ?- T9 l 00401067: push 00402025 ; \\.\SICE
' q3 Q( ]2 b6 K* Z; g8 R- E 0040106C: call CreateFileA3 i& P; G; P% \, V) z
00401071: cmp eax,-0015 Y* Y! C* E% C: j F
00401074: je 004010916 o8 i+ h; D3 b- k
. G9 M: O* g' Y4 h/ ~9 e
! D" L( ~& u+ x+ fThere could be hundreds of BPX you could use to detect this trick.- c1 Q5 X5 Y& X+ ]* q
-The most classical one is:( Y% V) m- Y8 x9 n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, S; O; j( w/ K" c1 n0 r *(esp->4+4)=='NTIC'* l6 j* i; m8 Q
$ H) F' J! G1 T
-The most exotic ones (could be very slooooow :-(7 k$ i2 b2 [# Q; H9 {- r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 \3 P; a: P. ^, b* u6 l5 @3 u* _ ;will break 3 times :-(
7 Q7 z, u9 X3 q1 A8 h; J" R& n' Q! y" V8 a; d
-or (a bit) faster:
! a. d& a. F. \: t9 ~ V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% U+ X9 J* T7 T) W1 V- o0 k) k* H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , W. l! k/ |- ~1 Y- ~$ \" Y* n
;will break 3 times :-(2 \9 f& N( [8 @% _
`- Z6 q+ U0 Z7 W1 H' V
-Much faster:
9 f0 z$ [, F/ t1 W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 J, Y' M9 i u; B q8 N+ [5 ?' M* n* j% ], C8 e3 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 r! u' f" ]7 h8 ^1 \# e' Q: Q/ Xfunction to do the same job: o; M# @6 ^" ?6 U( K. T
, e8 H3 ?# D! a2 { push 00 ; OF_READ6 P4 l* O8 |6 A7 b# B
mov eax,[00656634] ; '\\.\SICE',0
# N% d3 ]3 u( \& ` push eax
4 E. @. z* Z H8 x0 x$ H5 _/ F$ | call KERNEL32!_lopen; @1 w# E! B: F0 n4 r
inc eax
; Y! B3 D- _0 f7 d! r. g jnz 00650589 ; detected
' L: D3 a$ j8 t( V7 }1 O6 w" r1 M/ | push 00 ; OF_READ
' W! }1 m/ m7 E; `: ]% @" C mov eax,[00656638] ; '\\.\SICE'; ~4 A3 |' u4 P+ x1 i
push eax
8 k* \! N& t: l6 E* l- F call KERNEL32!_lopen @) k5 V' a. `- z/ t6 n
inc eax- j. v. S5 @- t- L
jz 006505ae ; not detected
0 B! W t& y- f
7 c9 z$ S8 L" m2 g: P3 J' r6 d0 e/ d5 d5 b+ ?9 H! U
__________________________________________________________________________" O4 A( N7 q4 r) a
; K$ ?" ?3 ~+ i
Method 12
& H, T4 T4 o: R=========3 X$ e5 u8 k. ~% r; |" }6 k" e8 s
, Z% Q( t2 p; u( UThis trick is similar to int41h/4fh Debugger installation check (code 059 y4 k7 F$ M% O0 y. X
& 06) but very limited because it's only available for Win95/98 (not NT)
% `, P3 A* `! Las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 x# k% P4 P7 h' s5 |- G8 n4 v
. Y2 D! f2 I5 p push 0000004fh ; function 4fh7 _8 c; C5 D5 P' e1 {9 S# O
push 002a002ah ; high word specifies which VxD (VWIN32)& }; }! q' h0 z3 z
; low word specifies which service& O- A8 }) z" n, T# O7 k
(VWIN32_Int41Dispatch)5 E* ]6 K- b9 U: W
call Kernel32!ORD_001 ; VxdCall
2 U" X0 h- F1 r* p, E# ^6 D! k! t cmp ax, 0f386h ; magic number returned by system debuggers
7 [ @; W3 k9 p5 \) F jz SoftICE_detected, X! ^5 M" _, S1 S, X! R' T D1 n
! b# y; t8 `- hHere again, several ways to detect it:3 {' i. B3 ^6 G+ ]0 M
, E# `4 A' }* l& C) B1 k& v2 @6 N$ c1 U
BPINT 41 if ax==4f
3 N2 w& J1 r0 a) @9 [# O. n6 S/ @, D- _7 \& ]% z1 N9 ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% n7 m2 f0 @& w/ R
4 ~6 p7 F9 }% s* q5 S7 K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 A2 ^" H h8 k' x
% P4 t. k# |) R- r Z7 s8 ]( n+ ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: H2 U- ?6 r- Z# \
% b3 d% u- z0 N: W' Z( J__________________________________________________________________________7 _# x s9 ~. U! n& R) u: z
) W+ M/ D' i# S1 N
Method 138 l0 U0 V& w/ t; e! r5 g; M; |- f
=========
) R3 R" G6 W1 c1 k- u' n6 f9 Y) E r: \2 ^0 d1 s# n3 n
Not a real method of detection, but a good way to know if SoftICE is
6 |6 K ]- R$ c0 N, [installed on a computer and to locate its installation directory.. a. y/ L7 ]! x1 ~0 h. w- ]; }
It is used by few softs which access the following registry keys (usually #2) :
0 E& x/ G9 N' S, B; a! r, A* X9 i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 R ~1 n5 J( B: @% y
\Uninstall\SoftICE
% c+ `, t% }# t2 ^! O: ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; M4 i: S7 h5 N- q: v2 N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 }& l& t- S" f( \
\App Paths\Loader32.Exe7 q5 X# C0 W4 H3 E, n1 S
6 N1 o. J5 ^. v
$ E4 B7 ~" u6 H c0 F' A, w4 p) J
Note that some nasty apps could then erase all files from SoftICE directory9 b0 t5 e5 K& ^/ ^) r: x. n
(I faced that once :-(
# _/ w- d! w" G' ]0 E
1 L2 S1 n, M' L7 N a# xUseful breakpoint to detect it:$ I% \+ H% l7 W# H
5 ?& r; p) K, \3 T& f# A* _5 u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; q# v+ q4 |4 W) E. q- K# B+ w2 B) v1 r+ t$ m
__________________________________________________________________________
4 g7 G" {/ | F5 _ b
) t% y- H5 z8 C$ U" ?. G5 U% f3 x ^ q3 h, O' F" @9 C3 p0 T
Method 14
0 H3 O4 d' Z! c; C# H/ m) K* K9 I=========
/ K; m/ E9 l) Z [
: b g* s% \( O" t0 K* R( bA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! m3 q& y9 W- ~( @5 r# X4 His to determines whether a debugger is running on your system (ring0 only).' ?) i! q; R5 B0 o) e
: z3 ~2 j1 r( }( L0 Q. k8 c" r VMMCall Test_Debug_Installed
" z* _+ v' f$ k8 R8 T [ je not_installed
7 @9 i) r+ B& e7 X9 z7 N: [
0 r* _# l; @3 ]- V% {) f! Z1 X1 lThis service just checks a flag.
4 ^% b. u# O3 T% J) u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡