<TABLE width=500>
* w( {, o# t0 n3 ~0 n<TBODY>
/ X- e7 [, J# B* f, s7 O7 {8 ]/ z<TR>+ f7 z0 ~6 O$ @* m6 `/ N
<TD><PRE>Method 01
9 E3 O/ @: `' v# v$ R4 Q" i=========
* I. t; Y( `2 Q- J
9 h! k/ j" I& w ?& n: k& v, j HThis method of detection of SoftICE (as well as the following one) is- c& }( k, N5 Z: |4 K
used by the majority of packers/encryptors found on Internet.
5 a1 }& L7 H# f1 c) P9 eIt seeks the signature of BoundsChecker in SoftICE
; a; J6 J: Q5 t+ u& h) V# N0 F8 c1 T6 C; W* d% O. F2 u1 Q
mov ebp, 04243484Bh ; 'BCHK'
3 n/ O& G" ?9 e" l& M( @ mov ax, 04h
4 @, n# U2 L/ U int 3
& O" T1 g( p9 W cmp al,4
4 k+ U2 ^ r: J# S jnz SoftICE_Detected
, T) f7 }+ n. Q9 D2 C7 R
7 z/ t% @/ c; {( c___________________________________________________________________________
2 [0 b* S d; x0 v" R7 e
+ {2 v2 @1 k( ~- V8 F' _9 p6 @* r$ x+ H2 IMethod 02! M, H/ f9 C9 B1 w5 |: v A
=========/ U4 T8 K6 Z% R. m9 d
' f* N# Z+ i- A* d
Still a method very much used (perhaps the most frequent one). It is used4 H$ l: x' c9 }! W$ @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" b* Q- g; v1 a* G9 G& for execute SoftICE commands...0 N! c; T) I: Q( V% }! [
It is also used to crash SoftICE and to force it to execute any commands9 v' R" {4 V$ T/ h7 k# R0 Z3 ^0 t
(HBOOT...) :-(( ; }$ Z4 a, w( @; w
8 J0 s7 @ K/ ^% ~/ PHere is a quick description:
' p. G3 R- ]' {( K* @-AX = 0910h (Display string in SIce windows). J0 a _8 m% I
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
M% L% y: \/ z' r9 q' j* Q-AX = 0912h (Get breakpoint infos)+ W; w2 T8 N- Z }% s& g u
-AX = 0913h (Set Sice breakpoints)
2 j1 b1 |) m# }4 Y, `3 o# A- b-AX = 0914h (Remove SIce breakoints)9 `# y, v1 m7 G7 ^' _+ _
* G. c5 ~# s( p
Each time you'll meet this trick, you'll see:4 ]3 m I; }% M4 t
-SI = 4647h! ?) x" a: r( m; `5 X
-DI = 4A4Dh
9 X9 y8 B) R2 W5 C0 `9 s! WWhich are the 'magic values' used by SoftIce.
& i) c# o3 b4 f" ^- HFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., p, R" g8 g3 X8 s4 O5 n2 f
2 a7 d/ i# S9 M) d n
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 ?' r- @ L# a/ FEnvelope utility use to protect DOS applications:. k. g) b( |5 S+ z. f& r8 Y
4 M, A- a3 L/ R G" A
+ n8 _% F ?, ]# g$ F1 M" O. {4C19:0095 MOV AX,0911 ; execute command.
; y8 X' R8 [) x/ r4 U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 M# l& M& C; e" q# k4 X r4C19:009A MOV SI,4647 ; 1st magic value.. q2 R6 o, Y6 Y" P3 N6 e
4C19:009D MOV DI,4A4D ; 2nd magic value.
- q5 }$ K$ j' A) {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" E, _8 l1 K* c) m* p/ O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* }5 z! ? `$ T R0 w4C19:00A4 INC CX; h* Y/ V& t4 G" }7 R7 Z8 X3 P& h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 Y1 T9 n/ X5 Q$ W" J
4C19:00A8 JB 0095 ; 6 different commands. Y1 e6 s- _8 M1 O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% J4 l1 H/ X1 E x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! l; h) ]% j5 d5 L$ i% p3 e+ V) h1 q" p, c$ T
The program will execute 6 different SIce commands located at ds:dx, which
. P4 R1 D1 N/ _- @ bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# N9 k: y' [5 p$ c% ~' @8 V8 y# r8 g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& k' \8 @ i: v- K! l- i
___________________________________________________________________________
9 }1 \. v$ C6 w) h( s% S; E1 P& i- A+ b' v& D! g
% l7 T t8 o* o/ U
Method 037 I6 M( n' k% S; z8 J1 [
=========
0 w5 t2 M; h4 m }2 Y/ L' c6 ~5 w/ t1 V' ?$ w7 ^; j1 Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( j) ~, n4 V" v% `5 r. }& M! s
(API Get entry point)4 \7 e, K7 d( }: l. K& ]
2 Q, {5 v/ q6 W# t* T2 \# Q
$ l6 B* {, _5 X9 m1 B8 x- U+ X7 \
xor di,di4 w3 k r+ {7 e: m; Y
mov es,di
) C4 r K* [ m1 H. e) n mov ax, 1684h ! I" y# F' e7 o- D
mov bx, 0202h ; VxD ID of winice( I' @4 U6 f/ [, _/ Z$ z
int 2Fh9 u5 X2 P2 ]0 `& V* F& f7 x, _
mov ax, es ; ES:DI -> VxD API entry point+ o, }! Y4 U5 n+ B
add ax, di
4 {& }: }' Q/ j. Y. O& [ test ax,ax7 L- U& D( Y, E6 J# s" m: [5 A2 ^
jnz SoftICE_Detected- k3 c3 K- M3 }* Z, d4 X& K
5 ` b: Y/ i6 [5 ~! N( M. ^9 C2 N___________________________________________________________________________
$ B% E. b7 ^* H$ x
* J0 r; G2 R3 OMethod 043 V X( P$ p( w( L: P/ B1 s$ B6 z
=========
+ ?1 I! V% S5 n2 Y- c0 f1 H: p3 ~- S1 b. G( E- y
Method identical to the preceding one except that it seeks the ID of SoftICE
, r. T. ^( m% F* ~. W3 ZGFX VxD.1 o v0 t0 E; e
) O" C9 c5 O1 }' |0 g' B, A. g4 D
xor di,di
: Z5 z: C; b& s# N& P M mov es,di
6 @! q. H" z' j0 w8 T6 S mov ax, 1684h
8 o% @+ E3 t9 T. E! G+ q mov bx, 7a5Fh ; VxD ID of SIWVID6 O1 q+ n, X& ?3 C- y7 M
int 2fh+ s2 `6 ~7 D8 |8 _
mov ax, es ; ES:DI -> VxD API entry point
2 L" E. ?* c) @- y add ax, di
) t' o1 A2 f5 ` test ax,ax
4 H: r1 Z: S& K" \ jnz SoftICE_Detected7 Y9 `4 ]' G( D0 M6 C5 M8 b
4 ]8 G( K0 \- n
__________________________________________________________________________ Q$ K* W$ L3 D
5 @- {7 r* H- V0 f
' G2 Z$ c! z) R6 ?0 s x2 rMethod 058 @: P: P$ r& X1 b W: J
=========
! x& ^: f1 }! W# O: s, {8 |+ Y
# M: }2 O! n' K/ l' [4 m y' w6 _Method seeking the 'magic number' 0F386h returned (in ax) by all system3 R" c/ A3 k/ \' ^
debugger. It calls the int 41h, function 4Fh.# R# G0 O' y8 o! N
There are several alternatives.
+ M, ]# Y( H: u' l, J: o
1 Y- S' c. b; k$ w6 I; P' XThe following one is the simplest:5 T* v2 T" M: Y# H" D
! Y, u5 ~' `+ c* b# o
mov ax,4fh9 [2 o! Y+ }3 s: N1 j; O
int 41h
& D$ g5 V3 h# l7 W cmp ax, 0F386
+ F1 @$ K% ~# u+ d jz SoftICE_detected* h2 q/ H" y I$ a& u8 {4 B
% r) ?$ v3 h2 m, M. T5 D7 M7 a d3 Y( m) {9 `+ n0 E2 i0 Q
Next method as well as the following one are 2 examples from Stone's
+ d. d/ i0 Q2 N1 V3 e$ N, p) f Y"stn-wid.zip" (www.cracking.net):
* L' j' m& [; H" P7 p/ C( F. c7 k; [ n9 ~' q8 n. o
mov bx, cs# S* @' m+ u5 Y' J: K
lea dx, int41handler2
; q( J j: U) Y2 U+ _ xchg dx, es:[41h*4]
5 c# b" |- H' c k& w- J. ] xchg bx, es:[41h*4+2]
9 N# e" j7 B" L1 r; G/ ` mov ax,4fh
6 {. U+ c$ K) w3 g+ @9 _4 A int 41h7 R# `/ e8 L4 m7 t* W# O4 Y
xchg dx, es:[41h*4]2 J" Y# O. t% r& N
xchg bx, es:[41h*4+2]
$ y/ `$ ^" o) @- x cmp ax, 0f386h
* X! |* }% U% A3 Y+ r. u jz SoftICE_detected
( V6 k9 O; D4 j3 p4 o& W, S7 s! @, Y- L/ x7 A3 u# ~' ~9 \
int41handler2 PROC( \- E; E$ x2 e, v4 z, f
iret
/ Z& o, k+ L3 c; k. H* U' qint41handler2 ENDP
9 J5 j& ?- z# F5 y
2 O7 j8 v) G" ]9 q8 {% h' P! {: f% f0 ]5 J1 g' v- n
_________________________________________________________________________2 J2 R9 \# S6 g" B0 {
4 c) o' P2 A4 w; p- V% G; v% R d
* c) N6 e! `9 t$ BMethod 064 M1 r3 p! ]9 ?
=========
U) c' u# @! p0 r/ {/ k" Q1 r4 E( }6 P
/ H* ]1 I: v5 r' d- b2nd method similar to the preceding one but more difficult to detect:
% m, B/ G; @7 P0 Y5 [7 D0 `3 f# }' q0 k# ]/ ~
5 ?& f: I1 V% ?$ m
int41handler PROC
& G7 j' \5 U* Y0 Q1 C. j {2 o* z8 L mov cl,al8 N) r6 P' M+ J) ]- y+ i
iret
) a/ h% R' P7 u& t. ^int41handler ENDP' N( d* c7 c- j! f; Y- b
+ @2 a( R& f& W5 x$ V
- D7 E0 O( h( d' v xor ax,ax
+ h% L- z( p5 O7 j0 u/ ?1 Z, F mov es,ax
5 t$ p k8 _* f' ^7 d. N. K* d mov bx, cs8 H0 z' z! _1 N3 V5 L, J
lea dx, int41handler" @$ x9 Q9 v. r; w2 T) L, O0 L
xchg dx, es:[41h*4]
3 t" f( F7 Y. n9 B0 x xchg bx, es:[41h*4+2]8 r8 n/ v! x) M/ j
in al, 40h8 l$ U6 c! y# Y1 ~( n
xor cx,cx
6 ~8 V* K: I) s6 G int 41h
4 M$ U* d8 P M: a6 K6 I xchg dx, es:[41h*4]
: o# B, t j7 M" q# Z xchg bx, es:[41h*4+2]
2 p7 }; H) v; \' @" \' c; z4 k" J cmp cl,al B4 H, G! s) U0 A3 B; Z% ^0 B
jnz SoftICE_detected* p4 ~( {' {! s5 P" G% ^
/ T1 \7 F& R2 Q7 V
_________________________________________________________________________) `! Q; X0 l8 F! [" m2 T
; W/ q+ B o! P; eMethod 07# a( l: Q( u, y. @& T' h
=========7 n# q/ c# b" E3 B# [+ a
! m( i: H) x$ iMethod of detection of the WinICE handler in the int68h (V86)) x) k. @) q3 `3 Y* y- F% J$ x
# i6 h* q! ]8 E5 m, Z+ P
mov ah,43h% e. q( B+ e: S3 K+ B. X# r" D, l
int 68h
2 I- P% u9 R7 D" S5 f cmp ax,0F386h
5 O4 K" s1 Q1 N2 w" K jz SoftICE_Detected
) @- j I' E' z, @! u3 Z- ], F
3 W* E7 Y- ^$ ]* Q7 H6 p5 Q3 D0 E# i3 U' r5 s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! b" s2 y2 U" O6 S
app like this:
( f" o7 \1 |1 U2 p! }
) G' L `, D, ~/ q& H BPX exec_int if ax==68: @5 i* @# R5 u3 Y0 r# p/ d
(function called is located at byte ptr [ebp+1Dh] and client eip is
v8 a; H/ ?, Z$ [1 Y, d3 z located at [ebp+48h] for 32Bit apps)
j/ W) ], O6 A, \* \__________________________________________________________________________' O0 h4 D: L7 N9 X
/ x2 A+ D2 C t
) L$ d" V- j( |) ~- h6 U7 A. O
Method 08
5 ~/ Q) H7 ^' l |, d m( t=========4 `; W5 c4 a; \ R6 N `+ U" z. }
: W' @: d+ C: z( Z/ ]) U* e
It is not a method of detection of SoftICE but a possibility to crash the3 {2 E5 }2 |2 x4 d
system by intercepting int 01h and int 03h and redirecting them to another
% b' I' A0 G9 `8 s) uroutine.
3 z& _! l- K2 _$ c4 _* o* vIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' K+ w: D) Y6 T8 _) x8 _to the new routine to execute (hangs computer...)' J" }8 L+ q. l% g/ Y
0 h# H) I# H1 N' @8 @: |0 [ mov ah, 25h( E- s$ L0 Y( [4 M- ~
mov al, Int_Number (01h or 03h)
, C' Z9 e2 H" w3 W3 |0 Y W( Z& ^ mov dx, offset New_Int_Routine( j, ?0 |( n1 N8 {1 f3 u% Z6 @: I
int 21h
$ ?3 f; w! Z* f9 n" L y$ L
; g* i+ [. r I; P__________________________________________________________________________
+ r* ~4 G1 L8 H% n/ U% t9 J
/ v. ~" n6 f# L% N: q3 xMethod 09
H5 Z+ m& Z- @- ?- n/ p=========/ `* N# J) M5 M2 D
! K! V# C: v% F f* F" S
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' ~- z' a8 } {& D2 [" z0 b& O
performed in ring0 (VxD or a ring3 app using the VxdCall).% s$ G7 l7 _* ]' o
The Get_DDB service is used to determine whether or not a VxD is installed% Y) E& i- L6 ?8 e. k1 l7 M5 P
for the specified device and returns a Device Description Block (in ecx) for) ? s$ g3 Q* b( \* `; {: y8 k
that device if it is installed.5 r+ R9 I* j( j: p. q) t
^- Q5 r/ H$ Q: X1 | mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 Z8 ^5 H6 X' Y9 I mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- Z! |6 ~$ I. T. O" ] VMMCall Get_DDB+ g- p) Z) u' o& S5 R2 ]' I A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 t# w& T8 n5 q, z! v& v5 b0 b, H) {* e9 e6 g
Note as well that you can easily detect this method with SoftICE:" ?; B* S# r; H1 @
bpx Get_DDB if ax==0202 || ax==7a5fh
* s( A* p" w! m7 r8 B$ a* k1 U6 |# [4 g& K5 _$ k) H0 a
__________________________________________________________________________
2 S. R/ e1 G- j3 |% T0 f- X/ G% M
Method 10 D% _, O5 c2 o# X1 [
=========2 S' j; \3 K S, z2 b2 ?
" S! K" m% S5 w# Q/ b5 B=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 z: V) C2 u+ y e) n SoftICE while the option is enable!!
! A* n/ L* c5 Y) N) p- U, O9 u6 Y, }6 p; P9 j* I/ b
This trick is very efficient:0 B2 I2 }5 i5 t* w F( V
by checking the Debug Registers, you can detect if SoftICE is loaded
2 \2 Y3 K8 n8 X& c' z, j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# r* L: v2 G! I; Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their5 @! n& a: i- }7 e
value (in ring0 only). Values can be manipulated and or changed as well
* b P9 \+ b* {: e6 s7 |1 Q% g, U(clearing BPMs for instance): I+ d2 K: Z& E
4 z! ^8 ?; x0 e, t
__________________________________________________________________________& b' L$ H$ O- w" Z
/ _2 L( ^) T; m+ ^Method 11
+ B) _0 {/ p3 }9 y" S7 A$ }" r" l/ ?=========
' t) C* l3 `- j. V3 m) w" Z: K! @2 T* u0 T' m: V" V x& Q9 R8 S
This method is most known as 'MeltICE' because it has been freely distributed9 \$ e( H: t9 G) O
via www.winfiles.com. However it was first used by NuMega people to allow
- F1 |/ j1 }8 _Symbol Loader to check if SoftICE was active or not (the code is located: d: O+ L/ L( F: a9 H
inside nmtrans.dll).
0 k" p( D0 ^2 X6 i l9 H- H/ L5 F) l* d: [. Q- ~ i
The way it works is very simple:
( o& E5 y2 |' [$ VIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 V2 r' Y J9 y
WinNT) with the CreateFileA API.
, T" L5 ?# A* A3 U9 j0 E
. a, \5 W9 I+ @' K# {3 ~Here is a sample (checking for 'SICE'):; r% I" C+ ~( y, G' [4 V& B* O: M
0 W; E, L: ]5 e& u
BOOL IsSoftIce95Loaded()* f/ r$ \$ t0 q5 D! l
{
: _4 g' ~: c b, X5 {: n HANDLE hFile; 5 j3 e' O; F' ]4 b8 Z; A2 r
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ l- Y5 \. v* v
FILE_SHARE_READ | FILE_SHARE_WRITE,
' E# E; b6 u( h* u* I0 D/ F0 m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 f5 l4 Y( N* C, y$ ^! n' Z! ^ if( hFile != INVALID_HANDLE_VALUE )6 h7 E7 ?3 d5 O5 P
{+ n3 B: S' U4 {; Z1 i. O% K' N9 s+ q
CloseHandle(hFile);
9 o& O* U% C: F" X9 L; R2 Z return TRUE;
# K$ M/ v$ q# {' x/ c* B) v9 [ }+ S+ C. d/ A# ^/ d; `1 f& k8 s% I
return FALSE;
! {8 z: q% V# X, \}
" x1 w, v% F1 x6 M0 @
% M) B) F1 W& r8 n8 I8 ]Although this trick calls the CreateFileA function, don't even expect to be; _+ R6 b7 ^ e
able to intercept it by installing a IFS hook: it will not work, no way!8 U M. s! F( T7 V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% G, r) {, U! T8 \; Y2 `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 m4 ~% N5 }) Z) g$ a3 I O! Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc! G; F F1 H5 b. g5 m, }- R3 H# W
field." V1 ~+ Y( f' u9 e# {2 ?! g
In fact, its purpose is not to load/unload VxDs but only to send a # O: K1 m9 s4 L: T' `3 }3 h5 M: j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' u+ Y1 g& C0 Z) p6 E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 w' p3 f( p% b$ Q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 @! H3 g& n3 DIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 [8 {2 ^# A* y( e* h% \its handle to be opened and then, will be detected.
s2 c9 J/ X6 r6 K) ?* |& {- PYou can check that simply by hooking Winice.exe control proc entry point! O& f1 M* U% j3 e, ^; i+ p- v) G
while running MeltICE.* J. R; t$ F1 O% S. d4 o
7 C- v t" m7 G- c; v& B! p1 O+ u: @+ S. e# p
00401067: push 00402025 ; \\.\SICE
: P `5 g3 }, D* k- S' \- | 0040106C: call CreateFileA7 ` r4 _6 H7 z0 T
00401071: cmp eax,-001
5 k% ^- }" R2 E9 S+ L: w 00401074: je 00401091
3 x. n- u! ?( j \
% x+ k' {' t* _, b. b
4 {# _8 V' J3 r& FThere could be hundreds of BPX you could use to detect this trick.
4 Q# @ L$ L9 F" Y0 J6 X: [: b5 I$ w-The most classical one is:
1 s" a: g. G4 | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ C1 V- h3 @9 }, `7 i( O7 T2 z
*(esp->4+4)=='NTIC'
8 w' {0 |* ^1 y" x9 [6 P
$ l* k/ D/ O3 H# x9 x# i-The most exotic ones (could be very slooooow :-(8 T, p+ f' s* D: i* y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" ^9 {0 t. z r+ _ ;will break 3 times :-(- r9 s9 J9 r B- [% j1 l( X; f
) Q6 P! V$ x% H% c, [
-or (a bit) faster: / K& k: q& {3 X2 g+ H; S% Z2 i$ k" Z, X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- R! k9 z q! ]1 G$ o5 o1 H& i
7 A& t& {1 h) q; ^( U, f! ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# @/ t4 M% \' H1 n9 H ;will break 3 times :-(
; z: o9 a. A( T( `' {
/ I0 B( x( I; N5 c- w) W% i-Much faster:) L0 j; \" S3 u0 \2 r1 U9 [0 \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 \2 {! j) ^6 l, J& g
# y: O: k/ d$ INote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- _% @8 j. ]( G3 J9 ?function to do the same job:
3 k t' X6 y* C9 @: ` s( ` d" B2 P/ C
push 00 ; OF_READ
' F2 M8 g: k6 _8 c3 L( ^ mov eax,[00656634] ; '\\.\SICE',0
+ `; f( J: m% V/ {# i( A push eax) a) G: S8 `2 H s D7 e* Z. C3 Y
call KERNEL32!_lopen
/ ]) |: w4 P/ Y6 ? inc eax r8 n# \( j9 n. m j6 [
jnz 00650589 ; detected
' P2 _8 f" R q0 j2 T S. ? push 00 ; OF_READ
, M; u$ `& f8 ]+ b( N) l, | mov eax,[00656638] ; '\\.\SICE'$ J, H0 ?* ^1 z/ B4 L
push eax
- p, ~* w' l1 A9 x* k call KERNEL32!_lopen. g7 d1 A+ J, u0 s# F! t5 v0 o
inc eax3 _: B$ g0 A9 `5 {2 g
jz 006505ae ; not detected
b! p* v: o9 c% A# Q7 P2 }
" W/ N) ~% o$ s" d
" c5 U/ L7 |& X/ G__________________________________________________________________________: R" {: O l3 l) K2 c
6 F$ l: N7 r4 c7 _5 I; U5 @- \( dMethod 12
: @: [" ~3 i! E8 v$ W% H- o" H( b=========
, e3 ]4 J3 }8 E( t8 H0 q- F- Q G* I3 B. x; v# l% Y
This trick is similar to int41h/4fh Debugger installation check (code 05
; R2 D& V: M& K2 V0 f8 T7 A% U& 06) but very limited because it's only available for Win95/98 (not NT)
! Z' x9 }# ]+ B" E. B! has it uses the VxDCall backdoor. This detection was found in Bleem Demo.% t! a3 j: @6 ] X
! A( t4 H! Z- U+ B8 g1 N
push 0000004fh ; function 4fh
6 d6 g! N m, G7 T push 002a002ah ; high word specifies which VxD (VWIN32)
% H$ R4 ?- f$ f% c ; low word specifies which service
0 [6 @& H2 Q0 [8 _1 l" G: F2 ^ (VWIN32_Int41Dispatch)( a# a6 L4 U5 f
call Kernel32!ORD_001 ; VxdCall
1 Z' _: a4 w- V4 s! X% B6 S$ M cmp ax, 0f386h ; magic number returned by system debuggers
2 l6 d. O9 E& _3 O jz SoftICE_detected2 g n, @9 p4 N3 }" o: E
8 Y. T8 @1 g/ e% \: \Here again, several ways to detect it:
/ ]9 B$ \$ _ w' f3 h9 h; b4 z9 P% u" j7 E; W
BPINT 41 if ax==4f
7 p" B1 P' d2 p2 v. z* N& K2 P: v% {) W3 W8 G+ N' e: _6 R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 X' K9 P, U/ n8 q5 _- X6 U! N/ H! }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! o5 v0 [. g( L5 I
# w% H' F" i b& z" g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 \6 Z2 v6 T/ B3 I- f+ x; B, W8 u' k. |
__________________________________________________________________________
5 S. ^* b3 |4 p- i& {- @5 p' O; V$ D
4 [! o9 Y7 A' d8 L5 U& V( ]Method 13
0 N7 a8 u* n: \9 Y( Y% Q, j9 c=========
* s" C) C8 i) N3 p* e7 E4 w2 _. d5 E* M: w. `) s1 \9 |
Not a real method of detection, but a good way to know if SoftICE is$ b" M z" x: t1 `6 b
installed on a computer and to locate its installation directory.
: k! m. a" k' g% |+ dIt is used by few softs which access the following registry keys (usually #2) :; H% F2 E4 Z7 T# S$ r
7 f% }3 f9 }* h" I$ n( \5 N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. b5 W+ `" x( f" n) M1 U\Uninstall\SoftICE
; D: e# t$ U" {* {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" {* L! g( I2 A$ Y2 U% O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 X3 K* V5 S w6 N, T M
\App Paths\Loader32.Exe
6 f$ x( G g0 b
1 \( Z4 x* X4 z5 B, S
6 ~! p I% X2 |" Y4 X; TNote that some nasty apps could then erase all files from SoftICE directory
+ ]; _; b" Z8 l% _(I faced that once :-(
9 a# }6 c- ?# Z, H3 w% z) e& ?+ c+ ~7 ?
Useful breakpoint to detect it:
& M' H% C% ~' p* G$ a' N0 E. h* N2 {' N( x9 Z! Y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% @7 `3 V8 Y+ d$ d8 [' p8 r6 {/ `, |
8 T/ I$ T3 d- m8 {5 U% H__________________________________________________________________________
7 D+ T; j" n) N3 o+ ~- l7 I( G( p& S }" @ ?- G. y/ _2 Q- v
' D) l, n+ m+ {2 v
Method 14 # n- i, C2 P7 n* z: r# ?5 F4 J
=========' N3 n8 w7 b7 g% B* ]) D
$ B* [4 G X3 rA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- j. `" L% z8 @' O R X% V7 w
is to determines whether a debugger is running on your system (ring0 only).$ R4 O& u8 x/ Z! ~& c
$ ?- i1 V1 E; ?7 U
VMMCall Test_Debug_Installed; K, a8 h, r: g# q' x! V3 l B0 [
je not_installed
+ D5 G2 U, k. x3 o! H# `
: q3 R) E6 g- | V9 ~7 p1 _This service just checks a flag.
2 C7 Y7 W m! W$ h0 |5 U1 M</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡