<TABLE width=500>
- S3 A7 v* ^" B<TBODY>& P e7 W( K( w7 h! }9 ]4 b+ I9 \
<TR>6 d+ V0 i/ p" J6 v
<TD><PRE>Method 01 ( N- o- q, q0 e2 r
=========
F4 B7 l- K) V d& G4 [3 j' L5 p! T5 W
This method of detection of SoftICE (as well as the following one) is
1 K1 z4 G. {6 Y& J" P# s. lused by the majority of packers/encryptors found on Internet.
& e6 U- y$ }/ o7 M2 J! E& DIt seeks the signature of BoundsChecker in SoftICE3 M0 i) l" M4 n* H
4 R% n- r. i6 u, x4 \ [ @+ Z& K mov ebp, 04243484Bh ; 'BCHK'
) ]+ k" h" w$ N" U) C4 h2 B" q9 E mov ax, 04h" G' s; y7 K# n( r- t& U
int 3 " C$ t" n) l7 Y4 U1 V3 B
cmp al,4
0 b+ Q0 l4 Z2 |6 @, M$ N9 {6 L0 v jnz SoftICE_Detected
7 I5 X& A) V+ H# M+ x3 a: f( V5 m' H8 {# _! \
___________________________________________________________________________
; P; w/ t) h; d0 H- @- E" B+ t# T
! z. [ B1 F, s4 P& TMethod 02
/ ?8 Q( s" r2 w# B6 ? U% W=========# B! d4 _' s) P/ `/ q* Y
1 F j- W) }6 b5 N3 NStill a method very much used (perhaps the most frequent one). It is used7 Y2 c$ e" G6 ]5 y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# e6 d0 e- M7 ~; n( l- B# y7 o
or execute SoftICE commands...0 n& U9 T& |. y
It is also used to crash SoftICE and to force it to execute any commands( g* \; R6 c4 t' A/ D8 W
(HBOOT...) :-(( 6 M4 x4 i/ R, B' R
1 J+ h! M# u+ N6 |% G! L5 k2 q
Here is a quick description:8 W9 y9 |, V% k' r* ?! e: x' A) ^
-AX = 0910h (Display string in SIce windows)
* \4 f* W6 c$ Y$ Q1 R6 X% {9 L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 K: J7 h) g1 H+ }6 X-AX = 0912h (Get breakpoint infos)
2 q5 M! N1 Y- g$ O! \, l-AX = 0913h (Set Sice breakpoints)4 X" @8 |- B5 a* S# P3 }
-AX = 0914h (Remove SIce breakoints)+ M2 F8 q: a/ C; m& X
: {2 |/ B9 o1 t+ T5 Y u0 d. EEach time you'll meet this trick, you'll see:% w; P5 j/ ^6 r% ^* ]5 N, ~
-SI = 4647h
; w, ^+ t5 S8 n-DI = 4A4Dh2 V# S2 z t, w9 Y
Which are the 'magic values' used by SoftIce.1 V. X5 A2 O6 r) q( C, [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
T5 v1 e O. |3 d3 L- f
& S+ v2 P" l+ I. V2 }Here is one example from the file "Haspinst.exe" which is the dongle HASP/ A) C5 `( K; @
Envelope utility use to protect DOS applications:
9 t# U" q' k) f" f! o! i
; v/ x: z% f8 s5 @$ U/ A
% k$ I& x0 C6 A" E& \: P8 {1 E6 X4C19:0095 MOV AX,0911 ; execute command.% F v# P, O. K8 e0 [/ ^/ u* f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 V3 _1 D2 ]1 m( p/ e; w- ~3 O4C19:009A MOV SI,4647 ; 1st magic value.
7 L" J) s1 ^1 `; M4C19:009D MOV DI,4A4D ; 2nd magic value.
9 {. C x& L) [0 e* Z5 d4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 k) s9 B: R* l8 p/ u$ B4 Z7 O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* X# S# R6 _, A' O+ f
4C19:00A4 INC CX
5 C- R' [6 \0 v. `" i, |9 O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 a$ P! k' m8 S0 U U4C19:00A8 JB 0095 ; 6 different commands.
2 P; t% R5 J$ I4 V' m/ j1 w: _4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 t5 T$ J5 @7 B3 n6 B L1 u
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) v% @- p0 l+ j9 h9 }' p$ B- e! j
The program will execute 6 different SIce commands located at ds:dx, which! c G" ?. ]; ^7 N8 q9 g5 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
g+ [4 P+ m. |
$ V9 g% @7 f& ^: F4 X! x/ ]! H: t* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ X! j9 l. k( w; }$ ^9 e" [
___________________________________________________________________________
. w& s: R3 v1 C! Y, [; L+ W# d" B& V5 {3 R% I
+ c3 e1 s) X. T0 M1 y! QMethod 03
% X; |: T6 j4 `=========2 }+ H/ [/ D: q2 L! u" B
9 \+ _* }0 j; k! c1 YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) w5 X8 G; K1 ~. r% X P& G% M
(API Get entry point)
* u5 ^: {; ]/ g3 h% T4 L
3 y$ ?& A" D$ X1 x* n1 k
, Y* c& s" p5 c3 x xor di,di8 Q* k' i8 e1 ^5 y- X% e
mov es,di
+ a" v0 s8 u, Y ^9 T mov ax, 1684h
- N; A% m: L% K1 O mov bx, 0202h ; VxD ID of winice
& c2 U7 F. f" H% R) I int 2Fh" \: P9 R2 k: {) ~, O
mov ax, es ; ES:DI -> VxD API entry point
$ ^" I4 E5 @ A2 v add ax, di
& f- e2 }, Q5 _ q4 `& Y) u test ax,ax
, X f' K- X# n1 |1 _4 J jnz SoftICE_Detected2 s. I. o/ x2 y4 c A
9 L; q) ~5 a0 c" Z___________________________________________________________________________
$ S% j, w0 n ?5 C5 B' Z8 y' q( \; ]; B9 `5 [) Y) R- j
Method 040 p }+ i+ T- W% _2 j# [1 u! t
=========
8 D1 \, L' g0 b F3 T2 p, s. ~( u8 @+ \/ [
Method identical to the preceding one except that it seeks the ID of SoftICE8 N/ S |# H8 G4 R
GFX VxD.
- R) n1 B$ ? i6 x
. w, s7 r3 i0 y% q/ z, M- ~2 v xor di,di5 Y3 V. U7 A4 y6 e" [# r3 x
mov es,di
# K8 I! H0 a: U+ e" x8 o mov ax, 1684h ; E* n: p" J! y$ A% Q; v
mov bx, 7a5Fh ; VxD ID of SIWVID& I! b8 I5 f( j- Q* d
int 2fh! a( l8 g6 ~4 I' l8 `- {
mov ax, es ; ES:DI -> VxD API entry point% z5 g' |; ~/ J4 x& [' p0 B6 f
add ax, di
3 I& Z, s0 h( Y test ax,ax1 _" l6 L1 F; G
jnz SoftICE_Detected
& H4 v$ Y; `/ m% i1 L7 B6 s' O4 t- k% |7 Z
__________________________________________________________________________
4 s$ d; \: e! I2 [
3 D0 i8 k: R4 k b+ ]
1 `( ^4 E6 u* V& z3 \Method 053 o8 e) R4 S, |: w d6 g: d
=========
& o7 K! _9 u9 w8 w' ?; b2 {$ f' n" K# u5 }
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' C7 k' z$ Z. ]$ vdebugger. It calls the int 41h, function 4Fh.: B& T8 o( ^5 h! V" x. L, Y0 m- } l! N
There are several alternatives. * f2 r: b1 }, K* v: u {2 i
' W' {" A# `+ h1 ZThe following one is the simplest:
, w( B3 U/ ?) c% f- G! b, \! S. p$ r2 a9 \$ {
mov ax,4fh0 V+ x' l! _4 b! s6 \+ B7 ?/ W) I
int 41h. M% c: X( K, q) w( L
cmp ax, 0F386
: i; R2 y2 D( ^4 X6 a4 X jz SoftICE_detected+ g& `( {& k0 `. b4 g% C
; P L p4 ?+ k5 ?+ g
! x1 l4 g; C1 k- P' p) |- M, iNext method as well as the following one are 2 examples from Stone's d/ A6 l/ Q' i3 D$ C2 O0 m- {
"stn-wid.zip" (www.cracking.net): T' j# g+ D3 o6 a; \: G
, `- ]( m% F; K6 T- f6 \ mov bx, cs
- Q% O' p8 R9 Z* ^, H lea dx, int41handler2' S2 Z1 N) k! k6 W
xchg dx, es:[41h*4]
) w- f/ ^; Z: t4 i0 G xchg bx, es:[41h*4+2]
: S/ V( {/ z0 F mov ax,4fh
* a4 H h) L, h int 41h l1 @) F! u. B
xchg dx, es:[41h*4]& v. N) `. i& r3 ?9 x) a7 h
xchg bx, es:[41h*4+2]! [: J/ \3 J+ t- V# e5 G' [
cmp ax, 0f386h
4 Q# E$ D' Q! G. ^0 i4 V% f jz SoftICE_detected
' Y; z' F/ j2 o& m
/ y# f5 Q( a9 r" i* J" U: Vint41handler2 PROC
' f+ s+ l' n7 e iret x9 o9 I( d) m4 V( v- p
int41handler2 ENDP
0 ]8 ~3 b2 E3 S e9 X& X% _. @7 ?1 F6 E2 e
3 }3 y K+ _4 x, _' Q- I
_________________________________________________________________________9 \ @+ @* B' Z8 j. }7 C
7 I9 r* Z2 o, m' x
# X7 |: B4 Y( o) E; z4 LMethod 06; k6 N5 w0 }8 `$ |5 x
=========6 S7 [. D) y# h* \1 c- u5 j- l
) I. c+ [9 H+ g' r6 b1 ~
9 Y1 E6 f- y: W; c% a, W8 f2nd method similar to the preceding one but more difficult to detect:9 J* a, Z, }1 k+ b0 ^/ S7 _
/ M; }) z' T; n# u0 n
C+ k* d. C- N' F- s4 Jint41handler PROC' M- M8 G; T" U( E% ?/ F
mov cl,al
" L/ X ~0 f& q7 i/ _ iret
+ s6 M9 V2 W4 u5 a+ v2 Tint41handler ENDP5 [1 F9 V! F" h. I( p
- R% w3 W+ Q: F* N1 G* F# B& d' N) L0 b" L
xor ax,ax2 o' y; T" B8 S6 t8 O6 n: U
mov es,ax
7 o) M f8 S# C mov bx, cs9 I6 a0 \5 M; M) @2 |7 f* }. A+ L
lea dx, int41handler
) C+ M+ C8 T2 {- r xchg dx, es:[41h*4]2 A( u9 u* e; p+ O8 Z
xchg bx, es:[41h*4+2]7 n E* X0 F3 P- h. v2 _( x
in al, 40h. ?- D5 S* l5 k6 Q) F
xor cx,cx
0 q9 n2 b+ V$ e9 d$ Z5 j/ y- V/ I int 41h T, U' P" I, k# k2 {7 O9 L- M! j
xchg dx, es:[41h*4]6 B2 U0 `! {. E
xchg bx, es:[41h*4+2], @3 Q S- [# u7 [& e6 g8 x. q
cmp cl,al
' v7 ?7 P3 l' Z0 C jnz SoftICE_detected
' a# I x/ x( U; [0 K/ ^( @7 ^
_________________________________________________________________________
0 z5 o' ~2 ~* Y( L1 Z) M. K
# Y W' E) \( p! L+ vMethod 07
# I" }; {9 a4 j. V V; f& x+ p=========
/ Q9 J: `. }) @ c$ j
- K) l; U' r. M0 j1 ^( \. g, ]Method of detection of the WinICE handler in the int68h (V86)/ g# I: h' S$ d/ d: Z, k
4 n8 f/ t8 ~" B% p( L mov ah,43h6 L/ l# i# Y, [+ @: r
int 68h' q. ~. C0 I- C" P K9 A
cmp ax,0F386h
; q, N% q1 }+ H4 L2 @! E. W jz SoftICE_Detected
+ t3 Y2 l* p& c4 ?" q; j, T; _ P8 e* v3 N6 @6 J9 |
% h& U4 ~$ s' Q8 D0 Y7 f b8 S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 l F( k6 r6 h% L; q% _
app like this:
* |8 Y9 V2 A( F+ C3 d( F& p E( X( X/ f; g- H
BPX exec_int if ax==68
1 u; C+ ^' Q1 J) j (function called is located at byte ptr [ebp+1Dh] and client eip is
# D3 D% k3 ^* u' f W& l located at [ebp+48h] for 32Bit apps)
: Z( N% ^! B. V4 K2 G: A/ O: b__________________________________________________________________________
' s% j; i8 a2 h1 L) h, r. m L7 j& W/ t2 q, m* V# O4 i: F. ]$ |
, e( W% j1 k$ @) y: A
Method 087 A" m$ Z# y J9 U! s
=========
; H2 V# V( n9 _- h7 j R( }% s) P& j7 g _: }
It is not a method of detection of SoftICE but a possibility to crash the
. I3 O/ c8 G4 [+ y+ k( m/ o, I8 x9 Usystem by intercepting int 01h and int 03h and redirecting them to another& z- s# ^, w+ n% H/ j
routine.
1 K. S3 b' A7 J! a# U! ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 Q$ D% ?$ X( a( m7 ?to the new routine to execute (hangs computer...)
/ C1 Q* p4 l& C5 P& @6 `0 F$ z" W) j( T/ b; W6 j
mov ah, 25h
& K6 j- Y/ o6 S; m0 h- Q3 f+ Y mov al, Int_Number (01h or 03h)/ }7 k% p- m3 `1 u" X# t
mov dx, offset New_Int_Routine
# I# B5 y1 [( g) ~. R( b int 21h
/ i6 f( N, b# p# F1 B |9 X& r0 h( d5 r. e0 Z
__________________________________________________________________________1 K$ Y1 x5 A; O3 f0 ?
3 u, k1 c) g! G5 \# N1 l' C/ L
Method 09
: Z8 C2 b5 B: U" u=========8 ^. {" h! B7 X7 p/ X
3 k/ K4 F. n, Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* ~3 a- I7 O* N. d6 U$ xperformed in ring0 (VxD or a ring3 app using the VxdCall).8 D& h0 p" k9 e6 L# F
The Get_DDB service is used to determine whether or not a VxD is installed" Q4 x( t$ ^! B' b/ Y) O1 _
for the specified device and returns a Device Description Block (in ecx) for/ W6 s0 O5 |& I9 v u
that device if it is installed.
0 O4 m" H$ n% ~- X0 }1 i' `4 S/ i# I, [. O1 w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 K5 ?- o/ n) n& u! j; ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! m9 U! B% H; F1 G VMMCall Get_DDB* }$ r5 {' l, X2 s& W. l* l! ^, m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 Z6 ~( @# g" e3 S; B
! p0 y: P0 ^+ X
Note as well that you can easily detect this method with SoftICE:: E1 |$ W! Y6 Q j' D2 ^
bpx Get_DDB if ax==0202 || ax==7a5fh1 {* @" F3 C! v% V2 H) @$ e. |
6 j$ V( p' h, \* L% y/ z__________________________________________________________________________% B% e# O& t% w& m& K. ^. W( I j
$ D0 ?: e' c" O
Method 10 ~% O* j9 E0 b3 [9 s, f5 D* v
=========
5 h D5 l- \' t" G1 [* i4 K/ z6 i3 {, d, `/ Z+ B/ r2 ^+ C6 B" s
=>Disable or clear breakpoints before using this feature. DO NOT trace with* G0 N* K# o, Q* d5 ]( L
SoftICE while the option is enable!!
6 i* ~9 e+ ~8 P, V
' L2 H! D6 J2 g# a7 ^) f2 O6 XThis trick is very efficient:3 }4 @! h8 Y7 d7 }5 w o
by checking the Debug Registers, you can detect if SoftICE is loaded
- i( G/ H' B6 d: h( R0 U( o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' G1 N, C1 f( q4 ]& v( l1 @there are some memory breakpoints set (dr0 to dr3) simply by reading their# s5 I8 x# c& Q: ^; I
value (in ring0 only). Values can be manipulated and or changed as well
# X# H1 S; H: m) z6 C2 Q(clearing BPMs for instance)
9 T) D5 X8 ] O2 T- _6 n) p- C `4 z1 ~, f9 p7 a- B
__________________________________________________________________________
5 _5 Q/ W8 s5 C3 \/ T
0 }9 `/ Q) D9 B9 O4 S8 J# i RMethod 111 |+ O( r+ m X0 N( y3 H
=========2 ?" J2 ^. a' f' j% E5 w) h
0 F4 K, y; ~, I% y! {
This method is most known as 'MeltICE' because it has been freely distributed% t# c+ t* k' W( P, G; A# M
via www.winfiles.com. However it was first used by NuMega people to allow: t- H% W- R* \+ P5 H5 h
Symbol Loader to check if SoftICE was active or not (the code is located! P. H4 i3 a2 E6 Y( o
inside nmtrans.dll).7 ~/ }8 I [" ?& I2 P* q6 ?# M
+ m; w1 G, [' e) r- R; V' @7 {- k$ pThe way it works is very simple:/ e4 m. f$ K$ s' _/ W4 R4 m" f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 Y' n% R0 h0 m `) o, ^! O
WinNT) with the CreateFileA API.
" w9 ]5 o+ I6 J) |5 T* A1 z% n( ?; a; n l2 O( R( N" l% G
Here is a sample (checking for 'SICE'):+ }, ~7 f" ^" O0 b: Z: V; |5 @# a
# O' @& w, j: @4 i" _
BOOL IsSoftIce95Loaded()
# |; X7 z- s0 {0 ?{' \. g0 X6 J @! D# \3 b# U
HANDLE hFile;
4 j. z- o3 \# P, | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 g. Z! e0 ?/ g% @$ B
FILE_SHARE_READ | FILE_SHARE_WRITE,4 |$ s0 a' o* |" ]! R# j( |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' p' L. b5 N. Q5 Y! y if( hFile != INVALID_HANDLE_VALUE )% U. l; o; D$ a' @4 Y
{
) F8 ^( s [# ~! C CloseHandle(hFile);1 i4 |! F6 W5 J- c
return TRUE;
# a" k7 O2 F& H, E' Q7 s }8 p, m$ Z2 y, f4 y" ^
return FALSE;/ p# P1 @1 L+ R n& X, e7 C( o
}
9 w% W# H {- N f8 V- h) D3 q- m; p, u9 K) O# d
Although this trick calls the CreateFileA function, don't even expect to be6 v; X0 f3 Q5 S1 B( Q
able to intercept it by installing a IFS hook: it will not work, no way!$ h; W( E; U. m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: m) e2 M( Z( z$ f7 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* i# t% w3 k# D$ x* k- C- pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ R' z9 r7 _! ?field.
; R, D2 q! _" j2 ?# W5 sIn fact, its purpose is not to load/unload VxDs but only to send a . Y* B; U e/ n/ |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% o0 D: X4 _$ J2 s6 t Y. Z. U# D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. W4 g* z/ O; I3 P# Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ Z; d: o3 [, M0 fIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; y4 ^" |7 F9 m+ T% sits handle to be opened and then, will be detected.) j( d8 A- O8 l! J: Y. P
You can check that simply by hooking Winice.exe control proc entry point
& j8 ?% M+ Y. ^, D- cwhile running MeltICE.
# H9 o0 N, F- ?$ n, {8 k* c8 X; ~. b$ s( L9 @! l2 k
; C1 }2 @& t1 C- a0 h2 g 00401067: push 00402025 ; \\.\SICE
7 P3 ?5 D5 t! U% W7 ~# _$ l 0040106C: call CreateFileA
8 F0 G* T3 Z; N& q 00401071: cmp eax,-0010 ~- d# \; a* e9 z4 e! |
00401074: je 00401091+ c7 E: D" w' H9 u8 D
7 V) F9 t2 m/ [% M
' {$ G# i" T7 t5 K2 A T7 T3 OThere could be hundreds of BPX you could use to detect this trick.
! w4 D, w0 U; o, ^. C-The most classical one is:) j {% l) k! q# u: K4 X, {' k W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 W% a- f. F! f2 K% z
*(esp->4+4)=='NTIC'* P% g1 M1 L! A# \( }: L5 B) ^
. P% [% U' k* x# m" j-The most exotic ones (could be very slooooow :-() h/ ~# T' l$ Z' T% f5 K* z2 O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) ? S" y! U5 B ;will break 3 times :-(2 M, J! X. F( v' B6 \
0 p! c) x4 n- V1 F- P! ?-or (a bit) faster: ) T- o! G, x$ V4 w8 N, m6 X; s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# x2 V6 p% _( r' v! V3 L3 _- S
3 S" b0 C3 Y7 w" Q* Z$ x7 X5 v BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- @) i+ ^9 S5 b, r ;will break 3 times :-(
6 B& ^" ?8 Q) W6 a w* S; L' f& j% z, D8 R& q) ~8 i6 O
-Much faster:9 |. \" [. E/ d/ v' a8 ?- w1 l% {+ Q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 U! X2 I; s: g* \. f2 E9 \" E8 l0 U) _5 v* a! F1 p2 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* l6 R! C3 I- B h( Bfunction to do the same job:2 D ~) q8 `* _& w
* j5 V7 l! E( i( u! j push 00 ; OF_READ
/ ?' I, V; \& Z: C& M mov eax,[00656634] ; '\\.\SICE',0* g* H% i- ~! V" ]# I- w
push eax
5 r: {* s6 A2 I* R* W! e% } i call KERNEL32!_lopen+ U* j1 t8 b6 S. \! M! l
inc eax' {0 u% v' k: d. k. U8 D/ B5 ^
jnz 00650589 ; detected" L& j' I3 Y! g5 B
push 00 ; OF_READ
- E3 c$ a5 F; _& N$ v- ]9 P mov eax,[00656638] ; '\\.\SICE'% b5 G; x1 Q: s) @0 s; w i
push eax, o5 ?, l* q0 Z2 E
call KERNEL32!_lopen7 n. Q0 x' ]: L. {. `* z4 Y
inc eax
3 H. M+ n, L4 k; ] jz 006505ae ; not detected: G/ i5 `, I. y5 o" y( ~! O
2 g' @: H3 h+ Z7 R) p8 `
8 g' Y- Y, n: |" ?& H: ^" I. d
__________________________________________________________________________* }" H6 K X" ~+ l
q/ x# Z* R/ {8 w% K { f
Method 12& p4 K( q% g# g$ r, z y
=========" b8 Z1 ^7 l! j N; H4 W4 n* ] c
1 x! \! T7 w. V. e mThis trick is similar to int41h/4fh Debugger installation check (code 05
1 N! X! Q: _6 {4 q0 M5 i& 06) but very limited because it's only available for Win95/98 (not NT)- X3 z7 K9 a& j4 D6 d: J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 g. c# j0 r; \4 ~! K& ?1 V+ u3 S, N0 ~3 D
push 0000004fh ; function 4fh6 H5 r) L0 q* J
push 002a002ah ; high word specifies which VxD (VWIN32)
. [0 S) o2 a' d% j9 t5 G; A6 \ ; low word specifies which service
7 j1 G! a5 D( |7 |! }' V" V (VWIN32_Int41Dispatch)
" ]# P9 [) y7 ` call Kernel32!ORD_001 ; VxdCall
( t' y& {( B- f' k2 d* @ cmp ax, 0f386h ; magic number returned by system debuggers
2 C0 C0 J6 c: t) o/ J* ~ jz SoftICE_detected
4 g3 C6 c* Z# v$ l, o' x* N
7 _: l3 a9 r' D7 ?; ]- iHere again, several ways to detect it:) k- U. s! M7 _" i7 V
% W1 s' U* r/ U# V BPINT 41 if ax==4f
2 G- V7 |# F2 B# r
3 M8 C- u% ~% ~3 ]% X5 {+ s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: z+ @0 K" J! h4 y% v* H! T2 W0 E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 N/ a4 i+ u: p9 o( c1 [1 U
3 `4 N$ j# J# `7 ]+ l. W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# F% o) n. e) a' ]" J& i- h
6 a6 `" F( _- Z' p- C
__________________________________________________________________________
, C/ I5 x/ W e
4 u* \% _4 c# U4 L& q' z. f HMethod 133 @. L% ?. \' k7 a/ j
=========8 Q( C0 _5 ?5 I/ i
8 a$ i, m K% a& T) f
Not a real method of detection, but a good way to know if SoftICE is
8 t$ V" q' b5 D0 {- {/ p& l' winstalled on a computer and to locate its installation directory.
! U" T y" _. m" qIt is used by few softs which access the following registry keys (usually #2) :5 ?- t; X, ]5 J5 k
3 L( V% p% M! u9 i* h' o3 c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 L+ s/ t! x; _" F" ^4 g/ e\Uninstall\SoftICE3 U8 |% I) A. J8 h) r9 K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% k# O1 d* h: r4 @ \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ i' ^: n/ d! o( d) t! b( t
\App Paths\Loader32.Exe+ t) s( w' i5 z1 m9 {/ |
4 D1 K7 r, t2 [! G' e" ?2 m
& L& z" N" h F7 n f6 O
Note that some nasty apps could then erase all files from SoftICE directory
4 a6 ~( k; O7 T+ {4 ?6 R( [0 ](I faced that once :-(
* U$ y. c! Y6 l) i7 F/ ]# H$ N+ F6 `& C' O \! c
Useful breakpoint to detect it:* V0 `0 l3 d$ d; R. m
& _5 B# T, j' q2 l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 r* E4 f1 n' h8 _8 X
4 J4 `/ `9 Z9 p& U" p7 V, o6 C__________________________________________________________________________
8 a+ `: {" y8 F7 d- N1 n ?! I5 y
, _ z. g1 ^9 i4 e4 s& q4 ?8 r5 Y4 |- }& C) U9 r. p. b0 y
Method 14
" k! r& ?" P, I9 L3 T% B# V=========3 f* S# t" l1 t' ?; m8 v4 a+ c
2 i. k9 L9 g6 ^ }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 D: x% n/ [* T+ D+ z1 b( p/ ~ y4 A
is to determines whether a debugger is running on your system (ring0 only).) d8 P% B4 x+ \1 P1 J0 q
, p& I: |! ?) N. P VMMCall Test_Debug_Installed
9 s, w% @2 ~6 h: W# _. V je not_installed! e7 u! c6 H' m0 v0 J
6 \6 @ D4 B. u R2 X! nThis service just checks a flag.
/ u, ?5 L2 `! \3 k& u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡