<TABLE width=500>7 f2 w# o8 a! x1 l& Y ?
<TBODY>
* t D9 J$ s3 W8 d% z* Y<TR>
# u% `. b7 N& n% R# s( @# I/ D; E<TD><PRE>Method 01
1 A5 F+ k a4 d6 [# D6 L7 d7 D=========
8 d2 z/ |: n7 @2 \$ c- j7 @" t! P6 [% S# @- V
This method of detection of SoftICE (as well as the following one) is# b- e, o1 b: q4 P+ Y" U
used by the majority of packers/encryptors found on Internet.1 q% r+ m9 h5 c6 s, }! Q
It seeks the signature of BoundsChecker in SoftICE
$ p1 p8 h3 N3 S( ~4 ?
/ U3 y1 i$ [ c7 }5 Z mov ebp, 04243484Bh ; 'BCHK'
" G' s c5 `, l, {2 {- `+ e5 v+ L mov ax, 04h) o- ?( v. h7 l ?. I+ s
int 3 8 p1 I* x4 s- F1 R
cmp al,4# A8 E A8 I3 g
jnz SoftICE_Detected
0 u, s4 i8 u7 U+ y T) @, q7 {
2 c a8 U. Z, i; Z___________________________________________________________________________) G* n, X, q, M7 n* O# A0 |' N9 d
; R# k7 M1 U1 E; e8 h1 `8 nMethod 02
2 ~: i' v6 F& ^+ q$ M& U% `=========0 e1 \+ Y$ o' g& Y( x+ w
4 U/ z3 Y0 g" v6 i& Z* RStill a method very much used (perhaps the most frequent one). It is used
: k: E- |* O! j3 C8 ?2 Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& f' @* P& Y; M5 z2 e/ H6 zor execute SoftICE commands...
; }8 I; C" d6 ~1 IIt is also used to crash SoftICE and to force it to execute any commands. s3 ?. H) Q( v+ I$ u! f8 J
(HBOOT...) :-(( w- O( r' I$ W: G3 F) y& e" ^
. ^' o* o O( E7 k: m5 z
Here is a quick description:
# X- Q2 ~8 d) i% Y-AX = 0910h (Display string in SIce windows)# v/ W4 K" ?5 A( \( G. P. R; u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 n. X8 s/ P3 @$ H9 I; K-AX = 0912h (Get breakpoint infos)
: I0 C7 |4 M1 S: |" ]$ j* X-AX = 0913h (Set Sice breakpoints)
! d" I' r" K' @% |-AX = 0914h (Remove SIce breakoints)" v' p; g: \' |' q* `6 \+ R
) V5 e) @& c- TEach time you'll meet this trick, you'll see:
2 _, q* q- d- j& N7 \$ l. X6 o. a# v3 Y-SI = 4647h8 k2 U( S; X8 G' N6 R
-DI = 4A4Dh
8 c z+ H0 z8 [, vWhich are the 'magic values' used by SoftIce.
! L n; E! O+ i0 I- WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' e0 k0 z/ ^# ~, I/ p
; Y8 G0 G5 O+ \: WHere is one example from the file "Haspinst.exe" which is the dongle HASP7 N8 w d! z5 G# G2 g5 {6 I
Envelope utility use to protect DOS applications:$ ^5 r0 [# n7 X/ o/ v/ O
5 Y0 q E& w) l2 @/ D2 [5 j5 _% z; O
4C19:0095 MOV AX,0911 ; execute command.
$ y3 k; |9 V0 k, `( f+ E4 c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 _6 X& Y" e9 m7 w Q5 b( h
4C19:009A MOV SI,4647 ; 1st magic value. s. U8 d! a, Q+ b
4C19:009D MOV DI,4A4D ; 2nd magic value.! m* t& ?6 x$ h# [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. {- Y' p V7 G6 u4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# M" A- g5 F+ \+ s3 H% l$ L' s
4C19:00A4 INC CX: E4 X' O2 o3 h- x9 B% x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( ]- \+ t# S: y! n6 D2 A
4C19:00A8 JB 0095 ; 6 different commands.
/ @2 Z+ H1 l+ d0 N' j* [+ v4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 r1 o! D9 k- }) m% O1 E; V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- f3 U$ v& Q% D2 W8 ?2 f+ S" z; q
2 {- F1 L# T/ E& o' Q) U. d
The program will execute 6 different SIce commands located at ds:dx, which+ j7 i. E6 z9 x3 x: e$ z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 D# x: i" M$ Y- ?' ^; m1 o/ l$ x4 D% @! d _9 e: Q1 k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* p. S7 s" v1 G |/ x! j___________________________________________________________________________
R5 i- D8 Y# d9 L$ z0 B6 ]5 {1 c. _* ?: I! F
/ k; U- q: n" v$ \Method 03
+ K$ Z3 {# k3 |' A9 m h# x a=========9 E( h: P8 K& Z9 V/ I9 u( g- A
. D2 E4 M+ \6 Z& J0 J- y+ jLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- u+ J3 E4 W; \$ _7 u( N* t
(API Get entry point)
: S b4 A) W: R( e7 Z ! `# @* l* x. s1 U |
8 s0 G) U1 w, I6 v3 F2 ^* i
xor di,di: s! k% z# ^. w2 A3 C
mov es,di A' I- N2 S# s+ C/ x% g$ k' r
mov ax, 1684h / r5 u, D/ W. [
mov bx, 0202h ; VxD ID of winice
+ H6 I; n, |3 r( u int 2Fh
' B: @1 ?/ t8 q, N6 m mov ax, es ; ES:DI -> VxD API entry point
" n9 T/ ]. W% ^7 |% n* ^ add ax, di+ R) S+ j) g" m5 f% N2 E$ H, N
test ax,ax
) m" z) z5 f, J3 r5 r jnz SoftICE_Detected; ~0 [" i" t5 N) x' t4 p5 Z
7 }5 I1 i1 J; X1 b7 C1 C: D b9 i+ K___________________________________________________________________________2 ~4 B- W3 r. S# m8 V
8 M( W+ V8 n3 o( W; @0 zMethod 047 s* L' r% w: `2 M' S
=========
# ?3 W5 V, B: O- J5 w7 A2 ?; d4 a. W7 e
Method identical to the preceding one except that it seeks the ID of SoftICE
" G9 G" k: }. } [GFX VxD.
: ~2 L! H7 Z9 o- n Q$ e& i/ v( Y- V3 U$ h+ O# O) s [1 Y9 V5 p+ a
xor di,di
6 _ U D5 [% q) b- A mov es,di$ t7 v8 c1 x- @6 O, J- @0 _
mov ax, 1684h
4 J9 D9 A* s3 t6 F mov bx, 7a5Fh ; VxD ID of SIWVID5 k) z5 O/ q) P. x p1 W
int 2fh5 u+ r. ^0 E5 m7 \3 v' K8 P
mov ax, es ; ES:DI -> VxD API entry point6 v+ y/ E0 X5 [& I1 v- Q
add ax, di# u* ]9 g% k a
test ax,ax2 e9 w) p h0 d% ~& e, |- J# I
jnz SoftICE_Detected7 [3 ]: f6 ~9 g: I
P+ q2 Q5 Z" M+ c
__________________________________________________________________________. m& e$ m) f6 b2 p
' b; r1 Q, s5 N1 I* J# N. `2 t5 O, e% P9 q- ~
Method 05
( e5 k% G: l9 O4 n5 y( L=========6 K& H ?$ C: @3 i
, _5 G5 j: \8 {' Q: ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 c- L$ C8 t. s) A$ O. R( \& c! c; udebugger. It calls the int 41h, function 4Fh.
. G, F4 K5 ~ e* D2 o! `There are several alternatives. " ~/ s% g/ s6 r/ j& N
0 @5 ?# \2 W7 z8 O2 R7 {2 C4 ?
The following one is the simplest:
( E$ O3 y; D8 ~1 r5 l) H8 `! T+ A, R9 b/ y
mov ax,4fh/ }9 w- Z* v. O" `$ k
int 41h
0 k* M3 N1 d0 V. E6 O, \ cmp ax, 0F386. L# U: B b/ x2 g7 H: f
jz SoftICE_detected; S$ K$ c4 C: V5 f
; U6 c7 G( l2 ?1 {$ C; [9 @" V
: A: J; J9 ^: K3 \Next method as well as the following one are 2 examples from Stone's 9 C! H1 v9 S5 r. ]9 C# ~
"stn-wid.zip" (www.cracking.net):
9 ~) |" A, H* T" M
7 p; J' r5 l5 y5 P1 \) D6 f7 r mov bx, cs
8 K$ g8 ]' ]: Y$ ^1 t0 G lea dx, int41handler2; v6 b/ V+ k& a1 T3 C
xchg dx, es:[41h*4]) A0 P5 s, \( C. P$ h2 B
xchg bx, es:[41h*4+2]: |% `" a0 G4 e9 u$ _) m1 C
mov ax,4fh1 T. K5 ~0 h+ d5 l9 n. `. V& ]5 Y
int 41h
- T1 D) C/ C& }) b xchg dx, es:[41h*4]
3 W: n( ]# x* r( ] xchg bx, es:[41h*4+2]
# M. _' D' {( W% z" c0 }- f cmp ax, 0f386h
) K0 f- E- n3 p jz SoftICE_detected$ h; n* L T: k z
7 b" z7 f. B# t2 {int41handler2 PROC
# i, q( }0 |1 s9 c' y% M iret
' u3 I: J9 Z7 Y2 i, yint41handler2 ENDP, _$ w6 g; R# ], |0 r- N
& u9 q% X/ i% I) h3 G8 h) {; Q
2 N% }* a! i* |/ j- e j- T_________________________________________________________________________
6 Y0 _4 c# e- Z
7 R+ |' w0 c1 H4 ^4 Q$ _) |! W
4 o4 S+ _( E# e/ @8 [: Q% a0 oMethod 06- p1 s$ s: p% _# @& T4 M7 z
=========- s" C& k& Q& K/ y8 W0 Y$ j4 @
4 W$ B9 y; _1 `' p' G+ Q
' Y; ?4 N, K4 p- l
2nd method similar to the preceding one but more difficult to detect:
1 p+ j2 `* `4 K1 P
/ K7 k K* j2 F4 p/ i! ^8 R3 a; F' Q# V; b( c, n, B& B
int41handler PROC
( O% G; q' T6 ?* B# a$ v* T mov cl,al) h3 R7 B* I/ P" g
iret
2 }* H, _: e6 x, xint41handler ENDP9 H6 v9 v# C1 f% {
. @$ s2 |. g& d% G$ a% {( u. ]
9 S6 b& R( o4 j
xor ax,ax0 h* C3 i6 t1 D4 Z' r' f
mov es,ax
- Z6 ]/ g# B3 n8 S8 c" d mov bx, cs. c* J5 v) G" V
lea dx, int41handler& g! q: V% G& x, h s- _* m8 \
xchg dx, es:[41h*4]/ d- W+ ^8 j+ Q( S& g4 O/ G, p
xchg bx, es:[41h*4+2]
! |0 e& f y' G0 |' J) d, l( p in al, 40h- @. v$ b2 z2 N, J+ t( x& `1 i
xor cx,cx
2 X/ d: k' s1 o+ P; C- f! M int 41h
6 G Z* o! w3 w+ ~. | xchg dx, es:[41h*4]
# H/ f* @( Z8 V/ c2 s& A+ z xchg bx, es:[41h*4+2]8 N( }+ H' i: U# _
cmp cl,al' b6 p! n% ]# T# C' A/ Y
jnz SoftICE_detected1 v# W. k" U! t# C' Z1 ^# M6 M
5 |9 k ?0 [3 h1 o& L
_________________________________________________________________________
: M+ p4 i* W. M3 p- U) R# |8 g9 V7 R3 N* C- @
Method 07
5 Y `4 ?- U( N1 k6 {=========, J5 ?* g H# a5 U) R$ d9 S' v
0 }! ]$ U5 m( |Method of detection of the WinICE handler in the int68h (V86)
1 u( j5 ?2 L, d! R Y' H0 ^! e! |5 F/ @, _: A2 ^8 J& B3 q' H
mov ah,43h
' U* k6 L: t: H3 k) q1 |. g int 68h, k. D1 u! I& c0 K- p
cmp ax,0F386h
1 t4 \! m1 }- X) D1 U4 F jz SoftICE_Detected2 {# v& `8 q$ r+ [
2 p3 l4 e$ u% G: [+ Z
2 _# e8 w2 |! J; ^=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 F0 D7 v2 I& S8 M" M app like this:
7 w( B/ \# v; s
4 I7 V: z; h" d; C8 s% q BPX exec_int if ax==68
7 [5 @7 l6 H* _' p6 k, ~2 D0 ^ (function called is located at byte ptr [ebp+1Dh] and client eip is
& p% d2 g9 u- w3 z8 e) f! W1 p/ l located at [ebp+48h] for 32Bit apps), r! N# @6 Q1 E* Y% k
__________________________________________________________________________+ @/ l, O9 R; Z2 h# J8 v. K
* [' c" H$ ?7 y& H+ Z* I
4 Q2 G, S- ?7 [6 k0 N$ g
Method 08
( w# j0 w3 _ o, k0 [% A=========% B, t" X0 F. k( m o
' B8 I1 x2 m/ Z6 N5 W) ^( L
It is not a method of detection of SoftICE but a possibility to crash the
Z5 S6 ?/ g {1 g) gsystem by intercepting int 01h and int 03h and redirecting them to another5 Y7 N* `8 I1 u7 J( x# e/ W
routine.! h1 `! B( t! L5 Z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' M( E; }- {% D
to the new routine to execute (hangs computer...)5 q$ u/ u4 M& O3 }% _. G; x( q
5 N. M- l' ^/ f- C
mov ah, 25h8 C( k2 E1 n" T$ a2 G1 D, J* ?' B
mov al, Int_Number (01h or 03h)
7 [8 O2 [( D2 T+ f+ k( S# _7 [ mov dx, offset New_Int_Routine
3 p0 L* e s) G% h1 ?' C* h$ Z int 21h& a! Q. P$ h( F& a
6 F( o: u$ u) J \__________________________________________________________________________
0 S! Q4 f; B6 i, }1 b3 J+ p
1 F. Q ~8 M& f. A. [& G, P( P) Z3 AMethod 096 v2 }4 ^# _0 b( o/ S/ A2 Z
=========! J- g) [2 M9 H
+ X6 Y$ Z! l+ B" A& AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 h% ?4 I) n1 m2 E; Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
: H! [8 R `/ x, k1 FThe Get_DDB service is used to determine whether or not a VxD is installed
. e S& d5 s# D* W) b$ m- ?: l) Zfor the specified device and returns a Device Description Block (in ecx) for
8 r" x8 v1 h* T* wthat device if it is installed.4 s2 ^, ]* w) f4 _7 n: K
9 Z. p2 o* D1 h/ \4 n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# G! _6 R( X+ w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: g( A: {, J5 I4 \$ B VMMCall Get_DDB
P; S# x c2 r6 Q* ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. t0 d7 x+ l# ?3 g0 Q3 D: E& A7 `+ c
* Y0 v) o4 ~0 _" dNote as well that you can easily detect this method with SoftICE:
' w5 z: A4 X$ K. H# f8 A, @" b" b bpx Get_DDB if ax==0202 || ax==7a5fh0 L0 p. z8 P, Y1 k3 A
. P/ L2 k" e/ w8 A: P6 c6 G
__________________________________________________________________________
. k( h/ ]. ^" |" m
. G% c4 z6 L& J8 x2 kMethod 108 D- f8 T8 [, c. B( S
=========5 E4 ?4 B! |" H! p. F2 {
+ D, o2 X# r `( [+ ~1 }' U=>Disable or clear breakpoints before using this feature. DO NOT trace with
! d! X+ ?' d7 U/ Y2 H8 ? SoftICE while the option is enable!!
# z+ ?- g6 c* o2 O
% z/ U' B. G0 \. SThis trick is very efficient:4 T2 X% E U4 _+ m. w/ V
by checking the Debug Registers, you can detect if SoftICE is loaded. W$ d2 M0 O! W$ }7 G& g& v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& C9 H6 e+ M0 T n" O5 bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 V* w' n) y% e: pvalue (in ring0 only). Values can be manipulated and or changed as well
' y; Z: U) T) T* U(clearing BPMs for instance)
, L% `, {$ _1 U6 B! z
$ ^% {2 y, P$ ~ D. n7 s2 D5 v__________________________________________________________________________- p# P' u, f0 x
2 e, Z+ F) K6 U: T7 ?' ]
Method 11
+ n4 w- ]; Y# a4 d=========9 ^! i# B3 m+ p
( K3 x; e( l1 X9 H) z! _6 ]+ B5 JThis method is most known as 'MeltICE' because it has been freely distributed: n1 D- p. x3 C [" S
via www.winfiles.com. However it was first used by NuMega people to allow
0 u- b+ s! q h' u2 MSymbol Loader to check if SoftICE was active or not (the code is located
: Y9 ?1 |6 Q( e- F9 b3 M1 B) qinside nmtrans.dll). R4 ]7 w2 U) n: j" K9 k
& g# W4 c7 E, xThe way it works is very simple:
; n* B: u7 Y! {3 T# c6 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" O: _; m% S* I3 h1 Z* j
WinNT) with the CreateFileA API.
2 o, b2 M, t$ ~. \1 ~& R9 t/ I' S( P, M$ }' V
Here is a sample (checking for 'SICE'):
2 h+ O+ [0 h3 T! `9 Q2 _5 f9 c& G4 S+ ~4 L
BOOL IsSoftIce95Loaded()7 `, {' R2 [8 C/ G2 k6 r& ]% U* r
{; n1 Y% j( l, G9 a: N8 |
HANDLE hFile; 0 Z9 u+ B: x k, H6 [$ ^: g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; x# N( d) i" G3 m' Q FILE_SHARE_READ | FILE_SHARE_WRITE,4 T& e& k( M7 n/ ?/ n( p* F; u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 r' c7 q- l% c9 e* Z+ w L if( hFile != INVALID_HANDLE_VALUE )
% A, O) @/ ^0 a) ]2 J6 ]( i! {. _ {
/ J# F3 t& J2 u. q CloseHandle(hFile);2 r2 Q$ C3 K8 a: C1 Y! V2 v, c
return TRUE;
" T$ t# [* V2 ~7 i }7 k* m' U- j2 L" a* g# `. S
return FALSE;
( g. r4 [ U# \}) {. H7 l1 H- x, V+ _' r! @7 I
; l1 u- |7 o: T0 zAlthough this trick calls the CreateFileA function, don't even expect to be
0 e3 D/ d- Z! H" Jable to intercept it by installing a IFS hook: it will not work, no way!$ ~/ M" U( B: @1 J f+ G2 F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 j% l% [- _' B* Vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 @; L P0 I. ]; {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# Z" |4 R: E3 r& h
field.
4 t3 s3 J) M; R9 X: h0 IIn fact, its purpose is not to load/unload VxDs but only to send a
: ~& k& z# H6 C0 I! K6 A* f5 v" |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% Y( z4 s5 l. l# b w3 q8 _6 h! Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! f( g% Q( U2 ?# H* s; ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., L1 F! R& P! j: D
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ i4 w: Z1 L, F
its handle to be opened and then, will be detected.1 V6 N8 P, R S1 O4 }+ g
You can check that simply by hooking Winice.exe control proc entry point
" n# U- T5 m2 Vwhile running MeltICE.# R+ g* F1 z* r( W+ T
2 K7 \8 |! Q" Z. O
) k1 o) V& I7 w 00401067: push 00402025 ; \\.\SICE
4 X; a% _) ^+ L( S 0040106C: call CreateFileA
$ ^/ e) v+ S, H( U" N* W 00401071: cmp eax,-001
x2 i9 k& S( |! c 00401074: je 004010912 T2 ?- G5 T# \- B, m( d3 R/ ^
& p1 x8 s0 X$ Y
7 L- K0 s0 a7 V6 bThere could be hundreds of BPX you could use to detect this trick.0 W" y6 d/ P E( _
-The most classical one is:
& G V+ m0 {# @+ H1 G( f. t BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" C0 d! H. y0 c, Y
*(esp->4+4)=='NTIC'
- h! r7 Z @4 S; Y4 \3 p& Z% d1 }3 i
-The most exotic ones (could be very slooooow :-(0 G/ {: Z$ [, S4 A6 [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! q; M' A" _6 ~0 V0 w
;will break 3 times :-(8 Y- D' E) g% p4 d+ p& R
6 W$ ?" z1 b y, n! u$ \6 H-or (a bit) faster: ' z/ l: z4 T. } r( h% [
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ r K4 o6 k% _$ N ^+ ]
; t5 T$ Y1 t, \) R7 j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) N' P+ r' Y) T; c* Z
;will break 3 times :-(
2 R# O6 p. J4 N; \* O: Q9 X
+ x6 T ]6 T% J/ i9 N; `6 D& H* h-Much faster:
8 |4 B( O9 g g7 Y( L2 T0 G+ t% J8 r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 D1 S3 ` N& C( \! O! o* z2 m
9 q5 H* }2 @0 JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. D! l: n) F1 @9 k6 efunction to do the same job:1 n3 m' D! f5 Z; J
% Z$ N. q9 E1 R
push 00 ; OF_READ- _/ M5 ~* \6 ^2 O5 V5 s
mov eax,[00656634] ; '\\.\SICE',0
, o1 O& M% v0 l2 |3 f5 l push eax. \8 `7 h' {, F- i1 i4 W: P
call KERNEL32!_lopen
. s. f5 O. o) g( K$ @2 w$ k inc eax
, L3 w/ v' h9 z" { jnz 00650589 ; detected
; M0 }3 F L0 A! e; ?7 f push 00 ; OF_READ8 J2 V* K4 x4 `. }' H; o
mov eax,[00656638] ; '\\.\SICE'8 l/ n2 d9 E4 K- D4 [
push eax
j9 X- V7 _% ?3 `) B( h$ i call KERNEL32!_lopen5 s% `; r% ` i+ D& V
inc eax: z( _, h+ t# D5 e* r5 b$ Q" O
jz 006505ae ; not detected5 v# W* h- d. L8 Z7 ]& M( K
8 D4 s) r# t& S5 D% l: S9 J
" A! G/ \* R/ U4 ~/ l3 e__________________________________________________________________________5 c6 l: J$ d$ Y) u& J0 u( O
5 [* p$ j4 t* f4 d9 xMethod 12, P% g- P& Z! O& y
=========2 O& s1 a8 y/ J
0 Q; d! E3 v7 q9 i& |4 A0 q- h
This trick is similar to int41h/4fh Debugger installation check (code 05# q @% n( ^9 v& ], P4 x
& 06) but very limited because it's only available for Win95/98 (not NT)8 ~4 I* P4 w K9 }" {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 _$ Q# M5 O T
" M7 q% Y8 ^5 L5 @4 ?& Q/ c
push 0000004fh ; function 4fh4 `- R/ _9 T- a e. W3 z$ v* m
push 002a002ah ; high word specifies which VxD (VWIN32): n; y& w! L/ u, ]5 [! p0 H
; low word specifies which service
0 |( B0 n" J/ i& P$ d% f7 q (VWIN32_Int41Dispatch)
, {6 M. f( u/ E) Y1 ~! a call Kernel32!ORD_001 ; VxdCall
3 T2 R# p/ {+ S% t2 } cmp ax, 0f386h ; magic number returned by system debuggers! ^& N, Q0 F/ Z3 Q: g( ~
jz SoftICE_detected
. S) j- |; m. O; S3 t0 y6 v
; @& {4 }" q$ F- n* OHere again, several ways to detect it:
4 e4 |: w, W6 O$ X1 h0 L: r; c: \6 R! m+ C) D# b
BPINT 41 if ax==4f& \% E) A1 p O- m/ S
4 i& c+ t0 P4 q; J4 c0 w$ Z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 d2 n% n |8 b0 K ?, }, |
* X1 @1 f! O) @ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ ^6 k" W+ P6 [) k- T9 f9 A# B
3 W" b6 K7 @3 Z, Y$ K# ? BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% e6 J+ p7 @- l% W! E9 M
) i, j- t" Y' B4 D# l/ i+ u' k
__________________________________________________________________________
* Z3 v9 h& b: \4 x- m) a! K+ @& z5 z. `! c* p4 } K/ U8 O: w
Method 13
, a" G& p$ S8 D9 K6 Z s=========
& V' D- A" n8 B' t# K, \& m) {! t6 f% l m0 k9 M9 R
Not a real method of detection, but a good way to know if SoftICE is
$ C( q$ `2 j2 m- xinstalled on a computer and to locate its installation directory.
0 B' l% g7 A9 j0 H, ` p8 ~It is used by few softs which access the following registry keys (usually #2) :. d) D. M& C4 V- p, z) }
% {& A- T' h' R; e# F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% k* g) `2 |3 F- [% B+ ~' n n
\Uninstall\SoftICE
F; O: ]- t; R# l$ e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ ?, J# s1 n: O$ L5 h9 T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 b r2 F9 N( r) H\App Paths\Loader32.Exe
: ]/ E0 ^4 f% k
, _5 p. |: a) P( C3 p* \- q4 a, M- X4 v1 j8 X
Note that some nasty apps could then erase all files from SoftICE directory
6 E6 S. m) u( ?! f" Q* e6 Y0 X(I faced that once :-(
4 K- s) z9 x$ Y" }) L6 w: P) Z( x' j' Z, B* H9 F0 Q8 U
Useful breakpoint to detect it:
/ a8 E4 h4 y! |* ~0 u. s% o' ^" f$ v$ v, w/ T) h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# w1 _, L6 @' |& o8 N
1 W- S- o& D- D% Z__________________________________________________________________________
2 C+ Q- V" V. N+ m' F
$ Z7 H& x. S$ j+ c$ x C) `: N# C4 d: N8 N8 y
Method 14
, U5 p# l" R3 L+ \=========$ [' O7 y) [ v; p0 x0 k4 o
6 p+ T* E& i. x0 yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ g- \6 h8 H& [, I' Ois to determines whether a debugger is running on your system (ring0 only).
# W( N% G0 a l6 T+ g* {! p; i- t H- Z+ E5 j$ s3 @4 v
VMMCall Test_Debug_Installed: K% N \: Z& Y- m
je not_installed
$ D( S* ?4 ?+ f, M# S3 B9 i. V$ f3 L- T# k7 j
This service just checks a flag.
7 n& R# x) A' P% e: |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡