<TABLE width=500>
h+ _/ g" G+ P<TBODY>
. i# U) @# u0 c$ J2 H<TR>5 ~ D% j; ]& ^: {) t) x
<TD><PRE>Method 01 7 D: k7 j7 Z) R5 n/ @' i
=========
& x3 l4 U, E0 C
7 d) q* Z$ e, t3 BThis method of detection of SoftICE (as well as the following one) is5 g3 k6 ^1 T, J7 p- k; r
used by the majority of packers/encryptors found on Internet.
* @/ f M2 _7 s E* K. }It seeks the signature of BoundsChecker in SoftICE& L+ V" J; l2 K+ {$ J
4 n S7 n% _2 G mov ebp, 04243484Bh ; 'BCHK'
, R! u- r1 h0 A" J% w+ ?! C mov ax, 04h
6 P' ?4 e1 Z8 [# q- D int 3
7 l2 C: t l& G. [9 g0 H8 ] cmp al,4/ C& V, s" s$ Z
jnz SoftICE_Detected
6 w0 Y1 k3 e7 n, K- t# Q" ^' K6 j7 b0 s( V* h. n. O
___________________________________________________________________________% O* n4 I+ Z( R. q
( v. v; O$ ?& R: n* f
Method 02
# _$ {& [9 z y; [: z=========; f+ \! y! N! ]0 i
/ U* m& U2 a1 p3 \
Still a method very much used (perhaps the most frequent one). It is used
( B- _5 X6 B. p2 K2 H; Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 h0 u" I4 K- h7 I. a. K9 {& g9 L0 z! \3 {
or execute SoftICE commands...( V6 z. Y1 ?0 Z6 i- \. |
It is also used to crash SoftICE and to force it to execute any commands* z( L: a z T1 a
(HBOOT...) :-(( $ {5 {6 a/ T- W- c7 P( j
. r/ z7 Z* a( V- s; G6 e8 t$ N5 e% yHere is a quick description:' ~( W, {+ |5 [4 c0 m* S
-AX = 0910h (Display string in SIce windows)
5 r& ?5 c" {1 o" o; C9 f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 c7 ]/ V# [4 K# [# p+ C-AX = 0912h (Get breakpoint infos), `) V; d( N. Y, K3 z" _! s
-AX = 0913h (Set Sice breakpoints)
( R+ o* g3 L) a; I-AX = 0914h (Remove SIce breakoints)* J# N" U- c* Q, t
' u" d# T) s; r: X6 J3 `; P
Each time you'll meet this trick, you'll see:7 U6 ]/ t D/ l" ^/ B
-SI = 4647h h- j6 I9 ?0 `1 H" ]4 H* U& T7 [4 E
-DI = 4A4Dh
2 ]8 l" c! y( M: T" O5 B3 C" ]Which are the 'magic values' used by SoftIce.& {- C+ [: [; m7 }, d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. o* Q$ N0 |2 X2 K' ^) F
7 p0 E9 a1 F0 r lHere is one example from the file "Haspinst.exe" which is the dongle HASP
- O! V- E3 x) E5 F9 b) jEnvelope utility use to protect DOS applications:
! ?1 h( R, S; V" e! \" N* M. ~6 U# ]* f& g1 ?6 ~8 Z$ M) y5 ?- j
. ^2 t3 O: L" v; X6 }5 Z% ?" P4C19:0095 MOV AX,0911 ; execute command.8 Z, i& z" u _- X }2 x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 }5 ~" X0 I+ _0 J8 ^" `% l9 K
4C19:009A MOV SI,4647 ; 1st magic value.6 R1 ?' j, i% ~2 W) ?
4C19:009D MOV DI,4A4D ; 2nd magic value.
( M" [* `6 e. n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# i x _' y" S* q0 D! c4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 P: R- f. g: \9 x4C19:00A4 INC CX) J2 S' K- |5 O0 x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 C' l% s ^! ~/ A Y0 Y
4C19:00A8 JB 0095 ; 6 different commands.2 o+ `9 J1 F e3 P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 c) Y) {% `# T
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ V2 K4 x/ G. N: y2 {
) N V, ?. C- e% B6 p4 r* eThe program will execute 6 different SIce commands located at ds:dx, which6 j& u9 {1 ~- `' P0 n* C1 E: \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* k3 Y; M: c" D4 y+ y
1 A( `/ X8 ?# i/ D* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* K9 P7 B- J/ ^0 ~___________________________________________________________________________
4 `4 s7 `9 b. B2 `0 C& F+ j
1 A# y' Z8 j$ n
5 q& g5 e& O2 {; S. x& xMethod 039 y$ G' L- o8 o( d; T' v7 R0 @
=========
# A! ]: ~6 L9 q0 X4 T, n. D+ V0 X! t. J- H$ n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" s, j" h" d4 l
(API Get entry point)
' L' t% S( c7 B' j4 ^# {3 ?: u - ]8 J/ J3 ~( U5 V$ Z4 {
& e& S. J0 K' [ xor di,di
) s: B, M8 u, o1 R2 a9 o1 B, L mov es,di1 y$ A4 x0 Q) X
mov ax, 1684h # K2 t" a5 v/ P5 e! H/ Q
mov bx, 0202h ; VxD ID of winice/ L7 K8 @( E9 @3 x: ?
int 2Fh" F* z0 k5 Z8 \6 w! L' v% ~
mov ax, es ; ES:DI -> VxD API entry point
$ ^; R/ n! v0 ? add ax, di% X( o# T9 q4 p7 J' R
test ax,ax- _5 L, J" Z9 X* d
jnz SoftICE_Detected5 F4 b4 U) U1 |" T, x
. v. M2 A+ A( r2 f$ s" x
___________________________________________________________________________; r$ Y* a, c) e' M5 {
& K) \$ }* o, t, rMethod 042 _2 O5 ]4 C q
=========1 l. ]6 V3 A( z
- e2 n3 d1 y4 |2 Z: Q+ `6 qMethod identical to the preceding one except that it seeks the ID of SoftICE
6 i% D1 S6 u8 k0 [2 d! P: vGFX VxD.. X1 s# ?1 I4 T1 ~
$ ]3 g0 _+ q6 d/ j8 w3 O6 n
xor di,di
% K0 c. Y3 Y6 z mov es,di% U% v' W6 B, X( Z" ^
mov ax, 1684h
u% Q" F- I& {5 Z g4 p1 I* W mov bx, 7a5Fh ; VxD ID of SIWVID, h, }# h# Q* S6 o- C# q4 c0 U. S% V% w
int 2fh
# l. ^, j( [+ O4 A1 ` mov ax, es ; ES:DI -> VxD API entry point0 K% c/ f6 c0 q
add ax, di
) w3 X0 z: }3 ?' [& u test ax,ax
5 ^6 |% H! x, B; N0 v. v jnz SoftICE_Detected, H {1 I, [: P0 R/ E
5 u) O! p! F; v! t- h; ]__________________________________________________________________________
+ h9 j, o6 z- A3 {# F
. E! }6 D- L' y/ c! f7 X5 u4 G( | y: s2 H8 D: v+ @! S5 _7 ^% Z
Method 05
9 H% E* h# l: a=========
- w7 \# P2 i8 K& @* C A& k+ J- |, w# O
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 @0 H! k+ a# e- v
debugger. It calls the int 41h, function 4Fh.1 ]" y0 l$ F. [( \ v, `
There are several alternatives. % d% F0 e; k( F' q) C, i
* r8 p( S/ w$ [& AThe following one is the simplest:
/ r. ~0 f( ~- G: U! e: \8 Z S
mov ax,4fh) ~4 c" N- B' N
int 41h
6 X) X: O _+ A" [. u cmp ax, 0F386- @0 y* U7 [8 A; P1 i
jz SoftICE_detected
( b/ f2 c+ S# Z/ f7 F
) } f' X1 ]3 k4 w$ N8 Z- o5 w7 e1 b& {( J; h6 e5 n+ f
Next method as well as the following one are 2 examples from Stone's , z( G7 c) w. f* C A0 U$ u
"stn-wid.zip" (www.cracking.net):
# o5 g F; U7 J0 _, |; x" t. ^, X3 x2 ]( F- J' B Z: [
mov bx, cs
: C9 `. X5 @/ M& o. b% m/ I5 K3 e lea dx, int41handler2
6 H% D! k# m' Q: O$ B* j% F7 J xchg dx, es:[41h*4], z7 G- J7 i1 u: f
xchg bx, es:[41h*4+2]
; d& J+ `% |0 I$ v mov ax,4fh
7 g- J" k1 N8 Y) }2 }( x int 41h
4 i0 N* C/ G. S, g xchg dx, es:[41h*4]
+ A" R9 q1 a9 P! f3 [/ d xchg bx, es:[41h*4+2]
* z+ u; b, U* \9 T cmp ax, 0f386h
, z# d: H6 I8 w$ `+ N. l jz SoftICE_detected
3 k/ f+ @2 v }6 q7 Y" S* D+ c# \
( f4 ~, _$ t' E5 j- s+ d; ?4 Uint41handler2 PROC) U6 s* m* r8 V+ g) O9 L: F
iret. i0 X, X" f& j/ |" X, W
int41handler2 ENDP
' C" `; ~1 D2 } r# b' A( U4 {& a* d' a! [& \4 i* z
* i6 m1 k/ q" r# ^6 k {
_________________________________________________________________________3 _* w0 ~( U C7 W0 u$ f
: `0 K$ p4 \7 Q$ X8 W. o; }0 n% j4 ~# N& R' t1 b
Method 060 N* a) R7 l% O8 R3 Q
=========6 P- [/ y9 S* T4 _
" r0 a3 Y7 e2 s/ j, S
; I2 v; v6 H1 K; b( m" B6 V- Y8 N2nd method similar to the preceding one but more difficult to detect:# N. ?7 E# S6 c6 `: i% U
6 @/ `: S% @* O7 a& L: j* G8 s
' z( F# _8 q8 o5 t) @" w
int41handler PROC$ T# R) j/ Z5 ^, ^
mov cl,al
7 _) }8 z Q$ J/ B. D$ \ iret
7 D2 O" F* ~$ ?# v8 e9 Nint41handler ENDP$ b& [; A& `5 X
+ V/ t% t' {5 `3 h
* J$ s) J5 e9 w4 f! ^- m xor ax,ax1 A" r& M6 a8 o2 L7 c" _% `( `
mov es,ax
8 n5 R" E& d: I3 S" m mov bx, cs
, ]; t, r+ s. f" f3 v lea dx, int41handler
; e3 h: ~; x/ h; p9 p$ k xchg dx, es:[41h*4]- v9 L6 @3 @- q7 q" W3 j
xchg bx, es:[41h*4+2]9 y* q! j( a( s9 [
in al, 40h3 A! A, R z0 D! ? a2 Z
xor cx,cx
# c( L, D) s3 q/ Y$ g1 i! ?& Q' G4 I int 41h
; j# @7 L! }. w xchg dx, es:[41h*4]
( C6 i8 o6 d, y& n0 e- ?9 M xchg bx, es:[41h*4+2]
' U; }+ `7 H6 R n+ Z5 V8 O5 Y cmp cl,al- Z! X9 A3 b, }5 a$ }9 i
jnz SoftICE_detected% E' Q; ]1 [8 N7 t0 t: e) C* }
: @# w9 \' _" S3 ^: T
_________________________________________________________________________ h4 r+ z' ?! {
' i7 Z- V, m- K, Q& v; HMethod 07
3 ?% L7 y7 M4 }$ [# w=========
. U" B) ~; [4 j, H
% O# v4 g/ b* Y& e' ^4 Q `% r, UMethod of detection of the WinICE handler in the int68h (V86)5 ~9 ^- r) {8 b% X6 `# u O
# U u; j+ i. n# N5 T4 ~! F mov ah,43h
& e8 u9 ~" b% f- w- o5 X5 f int 68h, J& Q' S/ L! w/ K* I# ]0 a# y- W- R5 I# j
cmp ax,0F386h5 u2 K) ]5 j9 D# ~
jz SoftICE_Detected4 k# U! L- e8 Z/ ]7 x3 |; A% b% s2 h
& W7 \% X! ^0 Z8 ^: E0 k
/ ?! e/ u, { s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- X; t7 Y6 ?( Q. J- g app like this: ]7 y! U. Y. F7 ~( J. g
# D; e. W P: @& C
BPX exec_int if ax==68
/ m/ I0 Q5 G& x; ~$ `2 Q (function called is located at byte ptr [ebp+1Dh] and client eip is' Q+ a+ Q& v/ g$ c
located at [ebp+48h] for 32Bit apps)
! W" B" d( P# _( S4 N0 D__________________________________________________________________________
" C4 y P' \, |/ d2 F+ ]' ^: u* J! A1 C, z1 t
8 Z- I4 Q$ Q0 n" i+ ~Method 08
/ R D( f) j* O0 g& q0 F: ^: Y=========' [$ ^0 R- u% U/ N8 u/ ~
0 q$ K. [. j) z, H: F% S \ f
It is not a method of detection of SoftICE but a possibility to crash the
$ t. x2 z; k! M Isystem by intercepting int 01h and int 03h and redirecting them to another' v' T" H8 Y" O: \. n2 l
routine.. x' f* g! \; x& y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 U: u- k4 C, Z/ B& K, p
to the new routine to execute (hangs computer...)
9 w* p3 E# {. r; C0 b$ } R. x X
& @: b% `: u) ?1 p mov ah, 25h
. L1 \6 C/ h6 Y. {4 W mov al, Int_Number (01h or 03h)
0 K, O& j2 u7 O mov dx, offset New_Int_Routine( H' |1 p- y" }9 {9 ?% ?( O" S
int 21h
8 m8 _% L5 m) h7 C: L8 e& x
. o" h1 h4 R) C& X8 n' q__________________________________________________________________________% e- |. T7 S2 M E7 Y5 H; \- k* [
2 Y3 Y" M0 _+ q% E# O+ ~2 b
Method 09
; ?+ B7 }. g& t n; ?0 \1 V=========
2 k9 k) u; k# f* W5 R5 k$ X/ a2 O. A- S7 ]( k4 {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 ~' F1 Q( n. M3 x* l8 g
performed in ring0 (VxD or a ring3 app using the VxdCall).
- f, K( i' n @8 s% j5 L* oThe Get_DDB service is used to determine whether or not a VxD is installed/ A0 u$ @( U' U2 Q7 a
for the specified device and returns a Device Description Block (in ecx) for
, d- V, {/ s. r( Ithat device if it is installed.
. M S2 z9 G p4 G- r5 R& d Q; _
0 S% v2 h0 o* D a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( ?5 F i% U) ~1 e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 `, ^* Z, \ P6 y- N5 J3 h8 ?/ O
VMMCall Get_DDB
& I7 C) k/ T+ L% ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 P" L9 ~% K* d2 M+ v5 B6 n7 C! f6 E+ U" n0 g- |& u
Note as well that you can easily detect this method with SoftICE:. c! }; p- y! f# j7 O& c1 x4 j
bpx Get_DDB if ax==0202 || ax==7a5fh0 z+ y+ Y7 J, U' U" a- I
, ~6 I5 b( ^5 v4 Q; `9 ~
__________________________________________________________________________
$ z- b3 o8 p/ P0 M0 U) m# f/ ]" v4 J. y8 u# }/ g
Method 10
: [2 Z' z2 e0 V% U/ t5 V5 r6 {=========
% H" l; M; f; e. {1 v* Z, V; [$ Y- n9 [, X3 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 @ L4 O k+ |5 I8 [: [5 K SoftICE while the option is enable!!
) p5 }4 H. z) I1 E" ]7 J2 \6 L# b- w. O; O
This trick is very efficient:' V4 |) {, g' N0 ?
by checking the Debug Registers, you can detect if SoftICE is loaded
5 L, o) b* c) ?% a; H+ |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" l% l O( ?1 L: K- K( ]7 Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 A+ a( @0 c" H. ^value (in ring0 only). Values can be manipulated and or changed as well+ u+ {; G7 n* b' z
(clearing BPMs for instance)4 |' m$ \& f2 h4 J1 U$ H
* s# F) G, s3 Q! k2 G5 P__________________________________________________________________________
/ [1 S# C! ]- g @4 W ? ~( F' @" _0 Y' u$ v
Method 11
# h% Z; I3 ?0 ?) R=========
[* b* j6 [& z8 G* }# I
3 M( D B- ^" Y# }& D- TThis method is most known as 'MeltICE' because it has been freely distributed
5 v6 M3 \6 Q' a2 M" v" G ~$ Tvia www.winfiles.com. However it was first used by NuMega people to allow
: b) I) y6 z% S! y/ bSymbol Loader to check if SoftICE was active or not (the code is located
) g) F5 G- g$ `& cinside nmtrans.dll).1 P, s* g6 `6 t) J1 n1 I5 z
w! p* C' @" r# Z: E! s
The way it works is very simple:
- a5 I' N! [0 c9 L, J/ I* ^" v, t- I6 aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" ], X% d' ~' @0 b: QWinNT) with the CreateFileA API." } z+ l0 d& r; M
9 X$ U4 Y$ o. f1 j& t1 h7 h
Here is a sample (checking for 'SICE'):
+ E4 [" i8 B4 ^+ j. r0 y% _
$ E' G' _5 w4 U$ |BOOL IsSoftIce95Loaded()
8 o9 g9 O3 T. w" J! H{
( J- m, \0 V2 P; |4 P# Y9 R HANDLE hFile;
0 y. d# a6 i$ u$ R- s& K4 |# _& x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: [' f; s4 a# q; {4 P FILE_SHARE_READ | FILE_SHARE_WRITE,
! N2 T+ @ q; q: ]. b# y g6 L% |3 x6 z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. Q# b) t+ [3 [' W. K' c" W$ j M if( hFile != INVALID_HANDLE_VALUE )1 ]1 ]8 h4 f4 D x( T
{6 }# F! e% U4 [; @4 D/ V N* r
CloseHandle(hFile);, t1 H" K% S7 i4 H% z% Q
return TRUE;
9 k) @0 {, o- F8 R1 U# X2 x- e }& B, U3 z9 ~3 M& g' J( J% t
return FALSE;; j' ^0 a, Q# a G4 \: S
}
1 d" m6 A. G: i8 p. c, ^$ E" ]' ]5 }: x+ ~; m# {( h
Although this trick calls the CreateFileA function, don't even expect to be6 K& {2 e' L. O+ R: o2 J7 v7 l
able to intercept it by installing a IFS hook: it will not work, no way!
, V$ i2 e7 @$ z8 L. \In fact, after the call to CreateFileA it will get through VWIN32 0x001F% o/ q0 {6 N+ I" W7 p. M& X: Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 ~+ G3 p; n8 b8 J% E+ Iand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 Q1 `! A2 {* M' b: ^* i3 D
field.3 M2 x; B& Z- H# k5 t) X F
In fact, its purpose is not to load/unload VxDs but only to send a ; i2 A9 F0 r7 [; J' x6 K( x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( G+ c/ _# x' ~! \2 I* a% K$ [( Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try* y8 n# Z( q) \& I& b+ m9 L, V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ `- @& d. B) N! j* o9 d% E" sIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 N" O0 v( I" o5 a& R* Q/ Xits handle to be opened and then, will be detected." Y6 S5 j5 G5 i" A6 Z5 K
You can check that simply by hooking Winice.exe control proc entry point0 ^$ k! N+ f1 y" \
while running MeltICE.
4 D, P1 e! G3 g( V R5 R r: y* S# v' D) d5 X- P) |- Z' t
! J! _& F: b; v1 @
00401067: push 00402025 ; \\.\SICE8 R* e/ y9 V9 x# P2 P
0040106C: call CreateFileA5 w1 z6 H5 I# X7 T* D
00401071: cmp eax,-001
( E( p6 _4 L. Y a/ Q+ G 00401074: je 00401091
1 d& t b. f( u: ?5 j. U0 o' F9 C* P
) a. m7 g) x9 r7 u- pThere could be hundreds of BPX you could use to detect this trick.1 ~; a; m% l& s, b
-The most classical one is:
9 }8 C' T" Y M% X* r8 }4 C& i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- n: D) `+ q; e4 m7 k( e5 T5 C *(esp->4+4)=='NTIC'
( b/ b5 W0 r" V* Q4 R- F+ Y7 ]
; O8 i: |5 ~' F: Q-The most exotic ones (could be very slooooow :-($ a* w! ~/ J* }* I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 R# u% v7 U9 _! o0 c' q+ w
;will break 3 times :-(
. [1 E7 G7 @, B4 ~* m7 V: `" u4 |
+ b+ ^8 J7 `1 v, O/ a c; Q-or (a bit) faster: 8 D) y @+ h0 `. \8 c& G0 ^: Q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 W9 s' i( P% v: }1 r0 l! Z. Y! H3 }; T! H$ D: R
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 N. z! J5 [; U% o$ }, r0 J" e
;will break 3 times :-(% x! x7 Z a7 N% k2 Y2 g
! x4 E- f5 S2 [7 E4 M-Much faster:
$ A3 W/ U2 d& A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- A2 G3 [2 P/ p- O0 ~8 E
4 |7 {0 F3 y; A# X4 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: p" m( c* F& q% Ofunction to do the same job:
' W* p/ i6 i8 M# n3 C
9 ^5 ] e, L) i' q; }, N push 00 ; OF_READ: g- N5 y7 A5 p1 C7 W( o
mov eax,[00656634] ; '\\.\SICE',0
6 c5 P& {" o- X. p: K; w push eax+ Q* L8 j3 e2 r/ N' k- x+ P( w, p% O
call KERNEL32!_lopen
# S7 Z" j$ y2 g$ Y _ inc eax
% A: ]+ y8 u6 {4 B: h jnz 00650589 ; detected" U3 ]: t/ n' d' ^7 S$ [, ^
push 00 ; OF_READ
! {- c. u$ _! D" V$ ^ mov eax,[00656638] ; '\\.\SICE'& P3 P# ^$ m, c4 Q5 W
push eax
) G# ` I- {* V/ S2 z& D* X call KERNEL32!_lopen3 l4 e" t* W, {7 I T. V. C( z/ u ~
inc eax
. h4 S0 m+ a! c1 ^/ ~ jz 006505ae ; not detected
# U! q" n! Y% m0 r$ U. i' P, S! w
! U d4 d- X4 w' {& f& q! `6 ^+ ?. q- V$ ^. F h1 J
__________________________________________________________________________6 u- D+ F% K* m O* s
8 m! Z- v4 X3 {' G/ ~
Method 12
0 g1 L+ X3 s9 n=========
5 y& z9 N! W* ]5 N, f' L! X
: i. [) l1 s# k- V7 } V7 s. WThis trick is similar to int41h/4fh Debugger installation check (code 05% Y0 }6 [- R* B8 h; o% r0 y
& 06) but very limited because it's only available for Win95/98 (not NT)
! w( E4 t3 P6 E/ Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 v( y* W5 j5 y1 {4 h
) V+ g, R( p3 R* F0 i/ V- @2 O push 0000004fh ; function 4fh
* ]" C6 }+ [# w! F push 002a002ah ; high word specifies which VxD (VWIN32)
' f1 I8 J- x1 K/ m: V3 ^ ; low word specifies which service2 [& Z- T- O8 x# n
(VWIN32_Int41Dispatch)+ q* w9 }5 w' x2 ]
call Kernel32!ORD_001 ; VxdCall
) s$ Q7 ?! [1 j cmp ax, 0f386h ; magic number returned by system debuggers
" x! J/ W8 r% M& o9 Z4 W% e& ]1 o jz SoftICE_detected" L9 q T: B4 }# g' g
5 e3 w% G& E% c8 V7 g" wHere again, several ways to detect it:$ z5 T1 A2 X+ J7 @8 o" c
/ B* |8 p8 y/ D6 L
BPINT 41 if ax==4f
3 ^0 K: y( [; o b- i3 x) s; b! |5 B5 y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" Z$ R2 x4 ^# [/ t
# A4 b8 _5 S4 p" Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! T5 P1 s; P9 Z* n8 ], x2 Q6 @7 E7 Y: k# h: r2 \4 Z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 y" F# X, v5 d! ^: S" o& K% ~$ a: a
__________________________________________________________________________+ u4 U' b7 m2 T& y% G2 ^3 v2 y2 P
& r1 r# b) s+ J# pMethod 13
1 e# L' u! g/ I=========- B& F2 |8 L7 m; R4 s
U e; W+ ~; x0 J, R/ INot a real method of detection, but a good way to know if SoftICE is
$ h6 r- H5 q1 linstalled on a computer and to locate its installation directory.
7 T4 \6 g) p! v) j( f$ `/ xIt is used by few softs which access the following registry keys (usually #2) :! F% C0 J( c# w+ k% \6 g M9 Z* W
9 I" Y+ ?- M J4 a# i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 s% f: ? z# h, C3 M0 v9 ]$ I
\Uninstall\SoftICE! T s. x5 F$ r- k, C+ V% A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; r2 a/ N1 ~0 C3 X( _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# \! w. L/ l, `9 y" ?6 y4 E\App Paths\Loader32.Exe
, z, c0 Q& A+ F7 @0 R5 |, D7 J8 t4 q; S$ u# }, E1 a% W' O7 a* ^
% {+ \- ]% X- p1 b9 A, wNote that some nasty apps could then erase all files from SoftICE directory
) B( }1 r. N5 B8 z, Y(I faced that once :-(' K# O5 C9 ^ e# e
) q! F' Y& J) p! G/ F- Q; J: }. l9 gUseful breakpoint to detect it:! `4 q! c9 g: P
7 g' X9 v0 u+ T3 C* _ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 K. I/ `. |7 m7 B8 s/ u) X3 U
1 B$ R) @$ |. z: _1 `9 `__________________________________________________________________________- R% d" Y" ]2 Q8 g; T
" _ B) |. t4 A j/ p) C
; C$ W- s) y1 J9 N* m) oMethod 14 ' D! o' y1 @" C C
=========
( w0 o9 V* v# o0 Q/ e* y) B! O( J1 [; D$ s1 a, [5 ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# c3 {9 ^, P6 S# `
is to determines whether a debugger is running on your system (ring0 only).
" M8 P* _/ L1 S
9 L1 H H, x1 b f0 S+ _8 a VMMCall Test_Debug_Installed: j. J9 y2 l ~: F2 y1 G
je not_installed, ?; }/ ?. r- I* M
! D8 j1 \! {6 I9 _5 i6 g8 OThis service just checks a flag.$ Q4 X0 j; _/ G0 u$ `3 l
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡