<TABLE width=500>7 E3 Y- `$ a$ H
<TBODY>. w3 v4 x, r q
<TR>
; t. a8 ~; `' ~4 o f<TD><PRE>Method 01 5 Z- q3 V2 E5 ]9 B4 M' P5 Z
========= d4 U' K7 k3 w* [
p) u% d5 F2 Z4 p$ F
This method of detection of SoftICE (as well as the following one) is6 c/ f& o* b* n+ V7 r
used by the majority of packers/encryptors found on Internet.1 t7 c* Q- N f! V+ A
It seeks the signature of BoundsChecker in SoftICE4 {9 _$ z5 c6 E9 w$ R6 q! z9 E3 K7 W
) P3 X2 v& {/ a1 y& ]2 ]/ L mov ebp, 04243484Bh ; 'BCHK'
Z4 u, P F3 v. q mov ax, 04h% ^& h9 |. K% X, ]- b/ K
int 3 + q# Q0 a1 @' S- ^( o( a8 ?! M. r
cmp al,4
7 j0 L& b' R! c' B! q jnz SoftICE_Detected
" W' _% D. c; L! q) Z1 w& p
0 Y& i/ Z+ v) o X! ?/ q___________________________________________________________________________8 @$ d0 G5 e2 ^$ L! D
& I) A) F; y% x7 e& oMethod 02
' t4 R7 z+ B7 U$ O% \- L=========
8 }) d$ W' J/ n& u2 B1 w
+ \4 b; [' R J1 P' t: ?Still a method very much used (perhaps the most frequent one). It is used
& M5 J# J" q* t% U& qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# ~; G! M f% Ior execute SoftICE commands...
6 b# f4 |2 b+ ?) |It is also used to crash SoftICE and to force it to execute any commands
3 _( K4 q" G) {: a; n(HBOOT...) :-(( & O/ @* c+ T/ l* `
% A4 t) z# r6 x
Here is a quick description:# p& F( m: a1 S. X' z. V- R% r
-AX = 0910h (Display string in SIce windows)
) @7 z, B1 Y& _5 T( O& a4 ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): Q3 |, |, ?8 o, y0 }$ ?; Q
-AX = 0912h (Get breakpoint infos)
0 h9 g! H$ Q- f-AX = 0913h (Set Sice breakpoints)- @3 y( N1 O5 ?
-AX = 0914h (Remove SIce breakoints) I8 T C" k6 l% r; Z
) C- o }4 U- mEach time you'll meet this trick, you'll see:. s0 d% c; D" Z; Y
-SI = 4647h0 F% c9 H- l J& r4 v' k
-DI = 4A4Dh4 @$ _0 x" o# Q/ N" F3 Y$ I9 ?! s3 o
Which are the 'magic values' used by SoftIce.3 G7 C! u# j% H! N' U2 B& d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- u( @8 \% R3 h( O) F) e* C( u, K1 T7 L4 m
Here is one example from the file "Haspinst.exe" which is the dongle HASP, V- b# M; P. y* I8 S) u& u0 R3 V
Envelope utility use to protect DOS applications:9 \) j( k# a/ ~/ V8 ~2 U* S1 J
2 P0 u7 W" x! n( p7 w: O" z7 G. t- u/ p B
4C19:0095 MOV AX,0911 ; execute command.4 _. Y$ L4 d" L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ [/ T; S6 A z4C19:009A MOV SI,4647 ; 1st magic value.
9 o: v0 D, T5 \ @9 S$ R; q% ?1 e) e4C19:009D MOV DI,4A4D ; 2nd magic value.1 b! s" T; A& d) d9 x6 Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* a# }. z d5 z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 g8 Z' C, A/ k2 }0 Z; }, X' x4C19:00A4 INC CX
5 u# R# S: ]! M9 B4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! E( d2 |6 T- T- Y
4C19:00A8 JB 0095 ; 6 different commands.
* e+ k+ f! A0 Y4C19:00AA JMP 0002 ; Bad_Guy jmp back.% R3 [% X3 r; [" ?/ [4 f/ K5 f' b1 _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# p- F: l$ Y5 e. n" C) q+ A3 Q! A3 I* M# y, I7 q, `6 H! @* b
The program will execute 6 different SIce commands located at ds:dx, which
# V2 M' w- s! f1 O# }; sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 z( j% S3 r6 r, h# \$ @$ p6 a1 f0 H: `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! c3 A4 p5 H- p1 J+ y6 M9 x
___________________________________________________________________________- [6 t" |+ e, W4 x/ W( t
1 l: d6 {4 g/ L2 Q' r) r6 j5 ? @$ z! L6 @% T3 S0 Q
Method 03- z9 t7 ^+ }! J# E7 @6 {
=========6 p) g5 }; c& y! J/ t8 |" E+ {) k
! F" I' U0 p3 P) \& j* d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 @; O3 B% r3 J, \2 K(API Get entry point)5 d6 C2 @0 q m% G1 N1 ~" J
7 ?. C* n( ~- R& r4 B: L8 H
) U! F+ X; Q7 X S& z# \* M xor di,di
6 e/ l- F2 k- |9 f mov es,di
0 Q2 e B& R2 T: l+ h& j" X$ d mov ax, 1684h 9 [1 i% {/ i6 V1 s% A9 ^
mov bx, 0202h ; VxD ID of winice6 G4 [5 b+ t7 x' z+ y9 I4 {, a
int 2Fh, h" m1 o( t' Z# G
mov ax, es ; ES:DI -> VxD API entry point# i" r& u$ e% ?6 y, r. |0 w7 P3 E
add ax, di
5 `1 ~1 L" F3 L' c# Z1 z test ax,ax
7 q0 Q3 r. O0 D" U jnz SoftICE_Detected& }8 v; b* a* J3 v, ? s
; V V+ @3 R. X
___________________________________________________________________________& Q* w' U0 w9 E; w. `5 m
# K2 K. O6 t! dMethod 04
8 u7 u" }3 j7 N0 s3 t" y=========$ E% ^" d( I8 {$ u
; B* p8 X) \7 `
Method identical to the preceding one except that it seeks the ID of SoftICE& Q% k- h- L; A0 s
GFX VxD.
% |; f$ [2 q! R' N' {2 \) O
9 ]" c( O$ W6 m4 h, ?) M. C xor di,di
( j. O. p2 N& L' G" L3 i' a mov es,di
~+ J. P2 z- ^0 {, v mov ax, 1684h
, H4 B6 I7 }, x8 r mov bx, 7a5Fh ; VxD ID of SIWVID3 h8 y: f# i8 o4 l& D, u4 v
int 2fh5 c# i/ g1 ]& P% t6 q0 A
mov ax, es ; ES:DI -> VxD API entry point {1 e, V" H ~& x
add ax, di
8 ^' M' \5 e0 h test ax,ax) q3 f' W6 Z( [3 X
jnz SoftICE_Detected
6 u# l" ]5 `: |7 b; }1 Y; V& V) o
__________________________________________________________________________
7 l2 [+ f& a: r' B# S% E3 y3 N: C
1 J" ]! w# d2 a/ z1 |
; N; ?$ s' u" T. |$ ^7 A3 Z: WMethod 05
+ Y0 M Q0 K3 X=========
$ ]1 C/ \+ ?9 v: g$ W: h& E
4 Z0 _3 \4 Z) W- \# r' `Method seeking the 'magic number' 0F386h returned (in ax) by all system; ~3 g0 T; e2 r, G1 w! a* Q
debugger. It calls the int 41h, function 4Fh.
3 D% K+ N% S- b: @- iThere are several alternatives. # l3 K% o+ j* {' l) C' w
y l* g$ c: U6 I6 [
The following one is the simplest:
) o" \# v2 K8 I- \* Z, t. J$ H2 W9 i: x; F* _
mov ax,4fh l+ r5 _" h6 {+ V' K2 j- z& ^
int 41h
7 B0 l' t" X4 g) _( r& @ cmp ax, 0F386
( v. o$ B U) \ jz SoftICE_detected( y* e* s) R, ?- I8 p
- t/ i; P5 {- K1 q* i( [8 I% h' G& D1 E k" J" e: N
Next method as well as the following one are 2 examples from Stone's
8 A+ v, o$ F$ M c"stn-wid.zip" (www.cracking.net):2 d4 ~4 a5 S) G4 o
/ `6 i; X+ ]3 a2 u
mov bx, cs
2 W" K' e8 }7 v7 W lea dx, int41handler2: K6 q$ \8 k& ~
xchg dx, es:[41h*4]- P& e, |8 B' P/ O% f9 V
xchg bx, es:[41h*4+2]
- I8 y. ^5 Z: T$ H* H3 B4 m- C9 W mov ax,4fh
7 g' ?7 n7 @3 F int 41h
3 w+ _! K& Q7 U ]& S$ t, ^7 D xchg dx, es:[41h*4]
) ^7 b" y; e* M% M xchg bx, es:[41h*4+2]+ A0 v' ^2 j) T2 G. T. R( k; j, ^
cmp ax, 0f386h
+ _2 R' U6 R( o" m6 s jz SoftICE_detected
* V2 B$ w7 }. g9 Y# Q8 H1 ?1 g4 G6 n2 j2 ^. x
int41handler2 PROC
( [/ t0 ]7 h" [ iret7 ]5 U! `- Q+ e& m# X3 l5 s
int41handler2 ENDP
& X. ^7 a$ ^9 k: E9 l9 c6 F8 {/ _& I6 i9 _
3 f6 `: I9 R9 `
_________________________________________________________________________
$ E1 `; e1 \% X8 z9 v) `6 x
0 Y3 P- y6 ?% m% Y) @# [1 v3 ]
! j9 m+ E. t+ @# y' P7 WMethod 06
& Z) }6 ?* `+ P1 F# i=========
" _- h7 u1 e& G& j9 @
! L7 g% a, B, C4 m
( D7 n1 m0 p6 i2nd method similar to the preceding one but more difficult to detect:
" m( [& a- f* T0 H
6 S, v- h8 H& C8 Z; [( y7 k: N
2 W/ [- P# A9 r. a: m9 }3 }int41handler PROC! i0 }1 u N' b# i% h! v
mov cl,al, R7 }4 Q# L* R
iret5 d4 m/ t9 A9 ], Q4 m4 A
int41handler ENDP
* W% |7 m. f4 q
/ F# I6 x: ~( B. I/ m+ p
8 t: V: W( D" G3 A xor ax,ax$ }3 o9 O* B: ?$ ?: q
mov es,ax
0 f- O' ~$ e* Q3 G- i mov bx, cs; u9 G. i+ d( p- G9 P0 R4 H+ Q, g
lea dx, int41handler
1 B1 o. V+ Z4 m7 R3 w% L xchg dx, es:[41h*4]
& ^; X4 ^* m3 q$ W, {" F$ H xchg bx, es:[41h*4+2]
" C' j) ?& L- J8 z- ~ in al, 40h. ?" Q C* @: N l( s: A# \0 k( E
xor cx,cx, T& A+ l. h6 ^; h' R) v
int 41h2 v1 c& X2 ^8 N9 B2 X! A2 u, t# o8 e3 @
xchg dx, es:[41h*4]7 f$ s( e, w% L( r, A& @% d" ^
xchg bx, es:[41h*4+2]
1 \, Y h2 y" z, K+ S) t3 n cmp cl,al
3 d# Y/ k1 Y9 }/ A jnz SoftICE_detected
) L" \! ~: f8 }9 w6 p1 }/ J( F3 f, H2 R
_________________________________________________________________________. u$ b% G+ y& K$ f, R+ `# j
, s- m" b% Z; B2 }7 D, j# @1 A
Method 073 m: z7 {9 u0 l
=========7 u# I/ A% a L# R; v
0 h" J6 i9 d" A3 X
Method of detection of the WinICE handler in the int68h (V86)
" z5 {3 Q" R- _, |1 d9 L4 [( X: f- W' S) f
mov ah,43h
2 T: _3 ~6 m4 u3 E2 m6 O int 68h
5 a+ t& E2 S% n4 j) \8 d cmp ax,0F386h
- ~1 D. y$ ]8 T ?+ f1 e% V jz SoftICE_Detected2 D; q+ K) R. _$ F% |
: w) d/ {2 n0 q) Y0 X8 Y2 p* P
9 g* k2 s" E, n# o7 R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ k; b, x V: H. T" z5 j$ m! T app like this:
6 r% W n6 {& {
/ x( [' {7 J" B- E BPX exec_int if ax==68
3 ~$ y4 W+ @1 V# h (function called is located at byte ptr [ebp+1Dh] and client eip is
4 q) `/ ?! d; R1 m t3 \2 ~9 P+ Z located at [ebp+48h] for 32Bit apps)
- w3 x) x( X7 e" n" v ?; s# D5 m! M__________________________________________________________________________
+ U" D' L7 k0 U8 ^$ Y" k+ I2 y. s c/ k- E+ d! h! z( ]; D
# |/ ~+ M! K; a6 |* Y% |Method 086 ^, q h* `8 _+ P
=========) O3 s! K- m( ^ Z+ J% L# T
) X9 Y, ?1 A1 M# w) eIt is not a method of detection of SoftICE but a possibility to crash the
- n3 ]# S1 s8 C: m. g8 @2 isystem by intercepting int 01h and int 03h and redirecting them to another t6 M" t6 g+ {( h; F0 H ~) t
routine.' {8 @) n/ O/ G5 Q" q8 q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# s3 M! e- b6 b( A, Lto the new routine to execute (hangs computer...)
. Y% N7 W8 }8 q8 P. N. o: L5 [+ ?5 Z4 [' S3 Z8 _# H7 Z
mov ah, 25h
8 t6 C% H" U8 a" y- Y+ D8 u1 G mov al, Int_Number (01h or 03h)9 ~2 f. k! S3 O' \: ?$ o
mov dx, offset New_Int_Routine
! O# z$ }$ E9 E) m" m/ _" I int 21h
0 e3 h6 {) i! ?; l/ A9 ~) p: z7 N3 n8 o" t9 J
__________________________________________________________________________
! c: [5 p7 t4 s3 K' Q* p
# P0 {% O- N2 u6 t6 IMethod 09
" Z1 _- o0 y& n3 I c=========
, m2 G0 [/ G6 w8 I, T# g5 C& u0 }3 |7 T, d5 B1 ~* A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 Z B% X! m) v# n- ~
performed in ring0 (VxD or a ring3 app using the VxdCall).
, u1 L- T/ g" u! A4 K2 c( w9 oThe Get_DDB service is used to determine whether or not a VxD is installed
w) C, n- N0 Y0 e' cfor the specified device and returns a Device Description Block (in ecx) for
6 y2 C, i$ r# J9 ^0 ^5 Wthat device if it is installed. M2 ^* S$ O6 |4 A
' q7 p! m! K* ]/ z$ [! N0 V& z7 H
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( J6 @* I- u# h) c9 X+ l6 r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' r4 ?) |# i. v7 R- m5 ^
VMMCall Get_DDB
- v% c6 l5 o7 |6 R |* \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 A5 @/ K, P$ C) C; _/ S
; `0 C/ N6 v+ j1 v8 Z5 i* V. `: tNote as well that you can easily detect this method with SoftICE:' `3 f+ `3 D( \: w: l
bpx Get_DDB if ax==0202 || ax==7a5fh
, D: L) F) Q" ^! z7 [2 O+ n- M# u% W I1 |- y
__________________________________________________________________________1 X. p8 @4 e- G4 R- x' U( j! y$ F
1 p# F) J" a3 ^+ c9 |4 s7 Z+ MMethod 10
8 o3 Z4 ^! @6 D; U=========
4 R4 p/ W% N8 [( |, p
. H( c1 C: C8 s=>Disable or clear breakpoints before using this feature. DO NOT trace with/ O7 B% Z K7 V& H. N% Q% I; g6 W9 A
SoftICE while the option is enable!!
0 m, m4 T% Z, N+ @7 ^7 p& ?2 j
( J* a, S5 Q) ~' Y) H: h7 U8 [This trick is very efficient:
3 k3 }0 z9 n- U% A/ I! Oby checking the Debug Registers, you can detect if SoftICE is loaded
( F; e, X7 n1 G% P$ E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- N9 ?7 g* `( O5 B3 g
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ I8 L5 s1 w$ |# V8 x9 N
value (in ring0 only). Values can be manipulated and or changed as well. S3 t, o |3 T* h
(clearing BPMs for instance)4 V: e' R/ c7 w9 n% q4 Z
; ?3 f: i Z- e& s" T) j__________________________________________________________________________
$ P! H7 d9 W( W6 p: T- e
0 R" ^+ ?% V2 S7 r$ k9 o, YMethod 114 Q* c9 C' W2 `0 ^. V
=========
* u& M; D! n) p6 ~9 @- M2 @, @# o% u
This method is most known as 'MeltICE' because it has been freely distributed
0 \' z: \7 m$ f' T+ Ovia www.winfiles.com. However it was first used by NuMega people to allow
7 s; R, D, d2 U( f5 o2 t# HSymbol Loader to check if SoftICE was active or not (the code is located
5 K, d% p! P0 u2 b7 N5 {, h. ?! Yinside nmtrans.dll).
. i5 W3 F4 f: b8 O; G6 P. F
9 X& Y; R" s; C( jThe way it works is very simple:
5 W' T! M- H( S i3 B- R8 F( ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 M. s t G1 o
WinNT) with the CreateFileA API.
% @& S# N1 ]1 s8 `. Z0 U* B; A2 p' d3 [1 s; a
Here is a sample (checking for 'SICE'):
" v! f" g {. V0 J. v' O# k! Z! ~& P7 N. D5 ^
BOOL IsSoftIce95Loaded()# v/ s( ?, w5 i) l4 E3 F
{
/ f5 {1 g% [8 b9 C5 M HANDLE hFile; 4 j: K8 e( f& y O& _
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 m4 s1 R5 c- y/ c FILE_SHARE_READ | FILE_SHARE_WRITE,, A$ J/ _4 s- f1 I1 i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 J; O: X5 x6 q* h6 \5 D
if( hFile != INVALID_HANDLE_VALUE )+ S* Y8 E& C" U
{
$ e8 d& m' @! \ CloseHandle(hFile);
I1 f8 L* x* y+ v return TRUE;, V0 d6 H' A2 ~$ M
}* \: f5 o6 H/ }
return FALSE;0 J% J" o) D$ X- l6 a, h0 \
}: N P# ^ a- S" q' F
4 Y- Q2 r3 ^+ \' }8 _* q
Although this trick calls the CreateFileA function, don't even expect to be
" Q+ |# K4 f+ z1 u9 p, c; T5 Yable to intercept it by installing a IFS hook: it will not work, no way!- K7 }: Q2 L. y) v: {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! j0 ~6 v" B$ G1 Q) g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 j# ^& a* q" F1 b: R) Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# \6 [4 R# K& Y6 B2 j; W/ x7 Hfield.
6 @9 f5 d% u* ?& o/ `+ D0 PIn fact, its purpose is not to load/unload VxDs but only to send a 5 e! }# x, Z% O0 ^4 T8 h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# R; b8 g+ J0 T+ s. m3 {& Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 [! ^, v- z# E. O# n$ |- lto load/unload a non-dynamically loadable driver such as SoftICE ;-).% ?9 M) \( Q4 w9 w$ ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ I( ]! V2 [. Z6 h+ ~% }6 E4 v3 V
its handle to be opened and then, will be detected.
2 F" l n1 `1 M' ~5 T6 jYou can check that simply by hooking Winice.exe control proc entry point% f8 C! b5 p/ X
while running MeltICE.
. O, \$ f- l$ M6 ?) W( T0 j0 X0 u d, m& H5 @% |9 R
2 Y3 i3 i5 j8 C: {0 J. _ 00401067: push 00402025 ; \\.\SICE
* o9 g/ L4 V/ y4 R% J( t 0040106C: call CreateFileA& S# o: J5 A" H5 v5 J% z2 d, H5 y
00401071: cmp eax,-001
$ k, {! t# X2 w# l, V 00401074: je 00401091
/ C( H. \1 `! ]) d' m
; W- c% M' h* d- w. M0 X5 c+ q6 C% ?5 R& C6 s2 W5 r
There could be hundreds of BPX you could use to detect this trick.- K% s5 E2 r! Y% O" l
-The most classical one is:/ f& k8 ~' v: O- ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 J/ x* z' _. _" b, h, |3 f r
*(esp->4+4)=='NTIC'1 @. y' e9 [) ~+ a& O4 I
) {! o/ e! V" x; ^1 _
-The most exotic ones (could be very slooooow :-(
) f0 j6 N6 ~- i( p: G4 h5 g3 ^* r BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # Z: `9 ?0 K: _( r0 Z4 X/ ~/ U
;will break 3 times :-(
2 k, p% a7 @7 H/ B( X; z( r0 z5 q/ J$ P
-or (a bit) faster:
4 j* O6 T5 S) W+ X, N& a5 m$ Y; { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' r+ k/ d! U r, i- m4 x
7 _3 ?" h/ ?2 n& }2 W' B4 f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # X1 z- A* |# r6 f: J; @8 U: t
;will break 3 times :-() L u$ @' U9 Z3 `- t h4 p
/ A2 f' e: y9 [) U7 n-Much faster:8 J4 u0 G0 j) o! U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 a% a' t- \0 C1 W
/ }% K: N i0 s" ~. h; \6 VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* n, m3 Z, K5 P1 a3 B6 Dfunction to do the same job:- S( q; V+ i4 o+ t$ _( g! f. U
" Y. {" ^! @. P t( W/ E! O' l
push 00 ; OF_READ6 E3 k& t% l H- r( O; d
mov eax,[00656634] ; '\\.\SICE',07 u# z/ j* h* M4 l, S5 R
push eax5 f* i6 w) E1 e3 M6 g# e4 }' V: |$ D3 X
call KERNEL32!_lopen D& a8 C! Q/ g# ~: I0 |0 Y
inc eax. v( b$ l0 h0 q; \4 s
jnz 00650589 ; detected
, H9 O; O3 D, V8 F- h/ n push 00 ; OF_READ/ {/ M0 }# C5 S6 ~0 X
mov eax,[00656638] ; '\\.\SICE'# Q( {$ D. {0 \9 S1 S7 Q
push eax; R) p t5 b2 j" J* C# X
call KERNEL32!_lopen
% a: @" l; H" U% E4 g# J! E* H inc eax* ~/ t6 Q D M+ ~% c7 h, a
jz 006505ae ; not detected
' k% l v* J2 x3 \
; Q& W) G, U6 V; x; n. y( r1 ?9 o7 @* l/ l4 m
__________________________________________________________________________
& x8 ?- f- j$ i1 a m& \$ }+ u5 L! F) i: B% T w4 ]9 Z( W2 o" |
Method 129 Q4 `3 k) } ~& ^! G
=========. w) F( A; O: ^ _2 G4 k
- K9 d. i! D# x+ \
This trick is similar to int41h/4fh Debugger installation check (code 055 L8 X( q/ Z: P9 F2 y. k$ o
& 06) but very limited because it's only available for Win95/98 (not NT)
, |) h7 M' ~( M Y# f0 @. `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 D! _, {) R# ^: x9 |" A/ Z# Z
' U/ R" l/ V b5 ?3 |3 Z$ E
push 0000004fh ; function 4fh/ x9 W4 p' J6 u" ?; G
push 002a002ah ; high word specifies which VxD (VWIN32): q# e2 v, z9 N+ P
; low word specifies which service8 P4 a9 q2 g8 \- K
(VWIN32_Int41Dispatch)
: J! J8 R4 g- P/ C$ I( b5 y, { call Kernel32!ORD_001 ; VxdCall- }2 {, Y9 w0 }; T
cmp ax, 0f386h ; magic number returned by system debuggers+ ]: @) `, R0 B Q. e2 g7 T' A
jz SoftICE_detected0 g* Q r/ `1 Z2 G, o
& W' T' J! M0 [4 H
Here again, several ways to detect it:- g x/ z, j: X% d
8 M$ e* ~/ _' k V6 _ BPINT 41 if ax==4f1 n! l" G- a7 _5 x# c
" G O! S- p1 h, d$ I. h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ \' G. S$ L6 l) m. z: H- |
2 Z( H% D+ p1 W4 Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- O" y# d6 n: g8 h3 P# L+ S, ^8 ~8 P$ n
% [+ P3 }8 M3 Z9 x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 i8 }8 X% f ^* b, C5 p8 a
! o3 q$ G- Q1 S9 y
__________________________________________________________________________+ l1 j$ W, X, ^- \6 U
" M* M/ _. r" J7 _) a; U$ e3 r/ xMethod 13
0 c4 M. r: s& ?' y) y# V=========% e9 x5 v. [; l% @* {, } }
& ^$ T+ s/ `6 s3 uNot a real method of detection, but a good way to know if SoftICE is
0 E+ F) i5 |* _3 S; r/ s H8 ?installed on a computer and to locate its installation directory.2 Y% P" l5 Y I Y! z
It is used by few softs which access the following registry keys (usually #2) :& Y$ a& o: o4 _# J* j
0 Y" B, [( |1 l6 f, c3 T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 }8 |: H( L9 c+ K3 F7 {% E0 x\Uninstall\SoftICE
- `% H U# a+ S& Z/ ]0 {( l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( u; y5 i: s7 Y# O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 Y2 F6 F# {0 U2 h! s
\App Paths\Loader32.Exe7 w: _# G( _( j/ J4 s, m
* u- Q6 a" `& q: N
# D9 C$ r1 o# ?- x
Note that some nasty apps could then erase all files from SoftICE directory
" [4 f- d5 ~. s. X- W0 U8 E(I faced that once :-(7 O# e. M3 N0 w; V: F: A0 p/ B4 @
3 s: ~ {" C9 y5 e0 U8 i9 M
Useful breakpoint to detect it:
( M: [% C5 ^6 D) q7 W8 Y) Q) Q ]( U& W6 t+ s" Z0 G) v5 X
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; c0 Y4 x0 d. n
3 H: M: b1 m& O/ F1 [__________________________________________________________________________" Z& v4 Y4 g! J/ F8 X
, z J- j9 r% X% A; ]3 E* u' p
6 ^6 Y# T E2 D$ o6 CMethod 14
7 W3 M2 Z2 U8 O- t+ p- i: f=========
1 C/ e! I! j8 Z3 E! M3 o. S5 \" x: `6 r1 l' I3 S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. F8 _) w5 u( u+ f1 p$ W. qis to determines whether a debugger is running on your system (ring0 only).0 s& S% E/ H0 G! r$ {8 y$ Y u: J
5 w7 R" @, D$ e8 z1 [$ [
VMMCall Test_Debug_Installed) M1 \) X; ~' G9 c3 F Y B7 o
je not_installed" p+ q) {' s7 Y( b) X) Y
6 }" v' D2 w, i# D
This service just checks a flag.5 f, i- m/ J) c4 B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡