<TABLE width=500>5 e, `0 x0 `2 f
<TBODY>
- @7 g- X) U- y<TR>0 x% b9 ~) Y+ R& @) }/ |: r
<TD><PRE>Method 01
: G$ S; T; t2 [: o=========
2 ]' {* s% G m
! h- l+ ~2 s wThis method of detection of SoftICE (as well as the following one) is& f% z0 K0 X/ \* `" D
used by the majority of packers/encryptors found on Internet.& Z+ L( y/ M4 X2 y! g" j: J, E" e
It seeks the signature of BoundsChecker in SoftICE& z$ K" d9 a l# O8 [
+ G& Y2 r5 d8 e# u
mov ebp, 04243484Bh ; 'BCHK'. ~$ h/ Z) n# [8 k6 P2 F, t+ w
mov ax, 04h
8 Z- r" S* C& z5 N int 3
. j# p$ }0 _ w& ]+ t/ I( y+ } cmp al,4, q6 G4 E* C+ `
jnz SoftICE_Detected0 q A- ]% ^- H4 v- v
4 B- j$ L: ~( b7 t7 V9 X___________________________________________________________________________/ E8 B5 D! P6 W! N* s' B
0 J% x' p: W, \7 K3 a$ `
Method 02* U- h E% R. s6 t& ^! m3 V
=========
, u9 n! s2 i3 L: V X l# q8 y$ {5 r% H: G
Still a method very much used (perhaps the most frequent one). It is used
) h' i. v9 I2 m6 Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 ~, ?1 s2 D( H8 Kor execute SoftICE commands...
! C# d) S6 o, T) `( @" vIt is also used to crash SoftICE and to force it to execute any commands
8 g* L, P( w5 Z3 L2 l(HBOOT...) :-((
7 c9 e3 d) d% p; b- U/ d. l0 e2 Y+ \3 |3 s2 [. F4 {5 E, _
Here is a quick description:" {/ Y' S2 s; n% `! F
-AX = 0910h (Display string in SIce windows)1 c% g& O+ u3 d# o) Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* D# E1 T; z7 [: B, w3 @
-AX = 0912h (Get breakpoint infos) W& h3 l) |# ~+ v
-AX = 0913h (Set Sice breakpoints)
" r5 X4 V+ i6 F' R, G0 F; O% `-AX = 0914h (Remove SIce breakoints)
5 j6 L ^7 c$ q k; |2 N
: R# }( j, D3 z; w2 fEach time you'll meet this trick, you'll see:: _1 Z* W/ F/ p$ [2 X
-SI = 4647h
% w1 h9 Y! B" \-DI = 4A4Dh
+ N* |3 E$ M0 ?" M. iWhich are the 'magic values' used by SoftIce.# C# j! F$ ?4 R; l$ [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) C! [6 n2 B* c. M1 {- Y* \7 k5 t f; B& }+ n, K2 x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! s- U) I* K, f+ f5 bEnvelope utility use to protect DOS applications:
5 y [9 i( z% ?- c: ]0 s7 {
7 w: G- P @! t5 O ?0 u8 a( G' C) P
& w7 c+ E$ Q' b8 c4 K; |7 k/ o d4C19:0095 MOV AX,0911 ; execute command./ w: l- [- d$ b: O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% [! Z. [$ A0 K# w4C19:009A MOV SI,4647 ; 1st magic value. ?% B; }$ W5 V. m/ Z" @2 P8 k! p
4C19:009D MOV DI,4A4D ; 2nd magic value.8 H6 \+ B9 ~; a% w7 U7 f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) e7 I5 C. t* d" }7 K1 I# ~5 E
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& E. k' W( s% P1 r E
4C19:00A4 INC CX
$ x0 f: N7 ] w2 l$ E4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" [+ x+ n+ g8 T3 [' C2 ^+ L4C19:00A8 JB 0095 ; 6 different commands.
, i/ y3 {0 Q" |% S4 O9 a4C19:00AA JMP 0002 ; Bad_Guy jmp back.' y: Z8 J( L% |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 t5 `& }; W1 {9 W/ _3 s( R$ d1 S$ y
8 P1 x+ ~% _$ z- q5 l$ p( r7 q8 C+ E
The program will execute 6 different SIce commands located at ds:dx, which0 Y% d0 F& K/ v# j8 `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* V+ `' G* y; x, v- x- l
9 b& m+ N2 K- \+ z' t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ r2 N/ n; k; [4 I' X9 m___________________________________________________________________________5 T/ a, |8 B) T/ s2 y0 K7 C7 S+ X1 E
. \3 I. @2 L7 f
% ^: x# g3 f- l' w) V* O E% ]Method 03
. u( l& C/ M2 G- M) Z4 V=========/ Z) k0 ]$ l/ d" e5 D' I' A
+ n2 R# M0 R. T' Y2 A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ t. O2 `% c: S% J, j3 Q5 h
(API Get entry point)
4 I+ }0 `8 {: x( \5 O3 y ( C- ?4 m( J2 }- E
9 w6 ~3 {. x, `4 ~% ^
xor di,di8 _+ Z6 k3 K9 e+ S/ D; X
mov es,di
9 P5 {& t" T+ }8 h5 Z! o- ` mov ax, 1684h
0 c' ]+ r) K5 X# ^* l9 \ mov bx, 0202h ; VxD ID of winice
. G* e l1 P5 C5 _- \ int 2Fh2 H+ }4 X" o- i0 K4 x) |% `7 ^
mov ax, es ; ES:DI -> VxD API entry point
2 r4 H! ?( s- g& B! M add ax, di
) I( v" f% g/ Q( g8 Z: q test ax,ax- ?0 M3 q) d. r7 ]" u
jnz SoftICE_Detected
# g D0 k- j/ K; w* Z0 N* Y+ z4 @( ]7 D, W5 a9 e
___________________________________________________________________________
+ v5 _7 s4 U- V3 ^. s% z3 v
+ K, Y( Y& \6 v2 z4 HMethod 043 q0 M. y- H" m8 W
=========; U) A" i4 S1 Y; @
, a( {; a: u* A5 l1 W1 X/ Q
Method identical to the preceding one except that it seeks the ID of SoftICE, n, q3 D* I" b. E/ s
GFX VxD.
" x7 T& v" `, X& F* A, j
, ~2 D6 E. }/ j: b3 N xor di,di
7 P5 v+ H, M' Y& [" \; d mov es,di: y% r# F7 B# B) @1 y# ?
mov ax, 1684h 4 b1 [# s. l7 y3 Q- O: z2 j. X; c
mov bx, 7a5Fh ; VxD ID of SIWVID. `+ M$ I' L. i8 h5 @1 p4 n
int 2fh+ k; k2 ^1 R5 l) S0 h
mov ax, es ; ES:DI -> VxD API entry point
' i* l. P5 C/ M( y" P add ax, di
& ?1 ~+ o6 [6 ~$ E2 E3 M& O test ax,ax! a* d' O" H: H+ U
jnz SoftICE_Detected$ s- O- h4 E1 t( {. J( j
) y4 D" d; }! P/ c' x
__________________________________________________________________________/ v9 u- t8 T/ a! Q+ B! j1 T9 I v' Z
6 X3 n! j# r" z
5 L* A5 @/ p* a4 M$ _$ _Method 052 j% T( A" e8 F% F2 Q6 x
=========: |. v9 D$ F3 y# e+ c
8 |9 f/ `2 i0 e
Method seeking the 'magic number' 0F386h returned (in ax) by all system; m$ e9 e! T4 h! b7 I, ^
debugger. It calls the int 41h, function 4Fh.
$ A; R0 B, S9 v$ a* {There are several alternatives. 8 m* S# C1 k1 o) j: h# s
6 Y e6 y/ p5 z% w1 LThe following one is the simplest:) W) O- b4 k' x. F3 ~. g5 u
8 G4 d% w6 a& y! N+ } mov ax,4fh1 P2 d4 H" P$ N+ A( f
int 41h" c: k" Y4 A5 ?& g* h$ R
cmp ax, 0F386
1 @5 Z8 t' L. P jz SoftICE_detected$ v& E% } a/ @0 `2 {. g% I0 C+ p3 N
* d5 Y0 I7 r8 z! u1 Z
1 k/ E+ V. O# u1 m2 k B
Next method as well as the following one are 2 examples from Stone's ( h2 K- w) n) f2 l6 l8 N, S
"stn-wid.zip" (www.cracking.net):
+ v- Z8 s: h1 g, m8 r& F
8 s5 S! I0 X- z ] mov bx, cs
+ o6 \2 `! |. {/ x! D7 p' R9 o5 S lea dx, int41handler2, h3 X! k* j$ a2 w" V6 y
xchg dx, es:[41h*4]2 {& p$ t# _+ y J3 R9 ]. g; s% ^/ e
xchg bx, es:[41h*4+2]9 N, w( D6 T; s2 W% p6 t0 T3 V
mov ax,4fh {; \8 |! {$ u0 W0 X1 O/ A& @+ O' [
int 41h( n3 \. j" i9 E- ?% f7 s
xchg dx, es:[41h*4]5 P# G' n7 A* Q$ Z @1 Q
xchg bx, es:[41h*4+2]6 ^/ t4 N* }7 M0 {
cmp ax, 0f386h
* a# t. l6 I& Z- A jz SoftICE_detected% U3 _% R6 K2 |, B( x
7 Z+ W p( T) ]' v$ }4 G
int41handler2 PROC* Q2 E1 L5 N% N1 ~" J% u4 R" X! P
iret
- l! u6 m9 ?$ X' Zint41handler2 ENDP
+ [' s e& S ~. D. v; K1 S% J7 P, M7 d4 [ J8 u T
1 H4 {' @ k, f( @/ x_________________________________________________________________________
" L$ C' l) n# c6 E, C6 A8 g/ i }
$ T/ p0 h! W9 S. m; U
V d4 r5 |% Z8 n7 l/ j' \6 GMethod 06" ]8 t* Y0 w2 e. |0 Y: R- h
=========
0 w; T& k% x1 |1 n! e. I" H4 o' k0 M2 h
& `( O' i6 o! L& {1 Q y/ V4 V
2nd method similar to the preceding one but more difficult to detect:9 s0 |& f `1 S' H- ~
3 X0 \, g7 R% M
1 t2 I- X1 [! N! cint41handler PROC, I" q3 {$ X3 O) k. |
mov cl,al
5 |: M/ A* L) l, F& \5 {8 c iret8 w+ I8 n2 D5 l ~9 u( Y8 {
int41handler ENDP& m8 q# i- k, g. \2 H$ S, e2 V) ?
- J9 Y- K7 U+ ^+ V" G" G: }, S% C* p/ A
xor ax,ax7 `, _2 Q1 i3 o4 Z
mov es,ax0 t/ _* m/ L( H5 F# P& I- L
mov bx, cs7 I' Z d8 O9 {5 Q, V
lea dx, int41handler* o7 P- A: T) y" ^5 q4 Y
xchg dx, es:[41h*4]
: `/ R; n+ ~. c. x xchg bx, es:[41h*4+2]" {8 x/ B0 o4 P/ s) H' L
in al, 40h
/ Y" g: ^% t3 P8 ^" W xor cx,cx$ r0 t3 J: @/ y
int 41h
1 J+ ]6 G" o, y7 ?0 ~8 D8 P) U K xchg dx, es:[41h*4]
/ o: h/ B' Q5 s xchg bx, es:[41h*4+2]5 T0 O( R7 D9 O5 d: J
cmp cl,al
. E9 u' C- ~/ `) S& J; W2 M* ] jnz SoftICE_detected* b& \+ e4 v# [ \: c. F3 D
4 d/ w, L0 d* Y
_________________________________________________________________________+ N: W& B( [( N5 \& h
/ h2 B" b1 m8 |6 b
Method 07
2 p: O4 i4 t$ C* B: X+ @=========
2 ^7 [- P7 e2 z1 M7 @1 L3 m2 M6 Y% r) k& n' K0 g
Method of detection of the WinICE handler in the int68h (V86)! |) {) d( A& d: C9 X6 {% a
, y7 y8 g! C/ R+ \
mov ah,43h
: h( F `* i& g/ U, o int 68h
1 Q- K$ Y6 g. f( `. j cmp ax,0F386h
7 }% H8 P: n+ A1 C2 G" s8 ]- b jz SoftICE_Detected; `- v9 v) e2 E- t
7 D( ^4 Y M6 \
* M; C% T, F' u8 q- c! E$ t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 l$ z# i* }; I% @$ ]+ f app like this:
2 w' T: u+ ~" l$ }* w. j9 A; R
' c0 c h' u- y# U4 ?3 g7 Z BPX exec_int if ax==68
0 h" T2 n' m2 _% `) L0 v (function called is located at byte ptr [ebp+1Dh] and client eip is) M C& s' p3 w* g( ]
located at [ebp+48h] for 32Bit apps)
+ @" t# f% d% C) E" v3 h__________________________________________________________________________
8 b; J9 g7 f N i7 x
& T& D4 U0 z; N5 u7 l' Q
0 p, e5 E. a. E" Q# H1 ~( a: yMethod 08
8 N; K% w7 \2 c. e6 ^5 r8 x0 K1 I=========
; O8 c, k% ^# R9 F% K7 S# ?' t& ? Z5 H$ K
It is not a method of detection of SoftICE but a possibility to crash the
9 `1 k$ Q+ i5 E/ P, }( a+ O1 qsystem by intercepting int 01h and int 03h and redirecting them to another
8 r Q, P& Q# S. C6 Groutine.
/ ^- ], H9 v2 g3 y! c. PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" X0 d* P9 S+ k) kto the new routine to execute (hangs computer...)
. I3 N0 P! ]8 |0 K* r
( I6 r# }' `& a$ Z mov ah, 25h
& w4 K' _3 U$ T mov al, Int_Number (01h or 03h)
" A$ F( \2 f* L( y6 s i: H4 p1 _ mov dx, offset New_Int_Routine
a, K% r! x4 M1 n int 21h0 y: L; V% ^5 X$ \# r+ k
$ W2 Z4 b7 @ {__________________________________________________________________________/ r- t8 _, E/ Y: H% s
0 g! ^' c, |; h7 o4 {( o- U; ^- v
Method 09
, i$ {! ?. @* R, }+ q" Y=========
/ ?1 }" W9 |: f5 F, `1 l3 k' A/ K+ j( t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 _9 H( w2 v( G9 j' u
performed in ring0 (VxD or a ring3 app using the VxdCall).! i% Q5 d% _+ c* z/ j
The Get_DDB service is used to determine whether or not a VxD is installed1 ^5 T* V1 N% K/ y; u
for the specified device and returns a Device Description Block (in ecx) for& n+ K+ i% A6 f8 E2 ]* \
that device if it is installed.
3 z) ]1 D3 R. `' f2 C& ^: Z/ Y1 @& w. \4 z6 i& U8 x+ N* ?) [( V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 M, h; c3 V- o+ v$ [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 j5 u8 {- h3 u- m1 G VMMCall Get_DDB
) }# B5 w8 E! S0 b D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% A" a* E# {/ t
( P) H0 f* ]7 Q" [; xNote as well that you can easily detect this method with SoftICE:2 O: }4 b8 ]0 Z$ W$ P6 ?3 w0 |( I4 X
bpx Get_DDB if ax==0202 || ax==7a5fh
4 H2 d9 O, {; A! b) L0 _
' U |0 Y9 z4 O__________________________________________________________________________
* C4 ~1 ^; z7 p+ F! O
; E& m! I/ W! S8 P' D1 T0 EMethod 10% m: Z' s' G d7 h! U- S. H4 e
=========+ t; r4 ^. r9 t' L$ l# {) `
. C# r$ b$ B9 A0 s=>Disable or clear breakpoints before using this feature. DO NOT trace with7 W- @3 i% q7 {. x3 T
SoftICE while the option is enable!!& q1 E, `- V$ |( R
5 D% K j0 Y% v8 k( Q4 O
This trick is very efficient:
+ }3 K8 W- @3 u1 A) y" }( nby checking the Debug Registers, you can detect if SoftICE is loaded9 H$ ?# [- u! N% t D3 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' _! l" Z8 x3 W
there are some memory breakpoints set (dr0 to dr3) simply by reading their* M5 h7 G8 J8 d: m. C
value (in ring0 only). Values can be manipulated and or changed as well
; f K) o' i6 x/ {(clearing BPMs for instance)/ q+ |6 E; q1 g
- |8 n' B$ c) g @
__________________________________________________________________________
) v8 r0 ]0 t6 s0 f9 U. M! }8 H% W. r+ [7 q2 M
Method 11
" z' Q2 B. z0 J/ b& q) Z=========5 m D' q6 M4 ~3 K5 C- s
! B1 ?7 B# V4 U$ h6 KThis method is most known as 'MeltICE' because it has been freely distributed; {; i% l0 N+ E0 ^# r: U: I! |8 y9 [1 S
via www.winfiles.com. However it was first used by NuMega people to allow$ S; X6 F9 G) b% W" {% i1 l# ?8 E, @
Symbol Loader to check if SoftICE was active or not (the code is located
; P" c; m1 Z) I5 l" ?! ]inside nmtrans.dll).3 I8 g: Q7 N0 G1 Q9 ~
7 K% L/ C' h- vThe way it works is very simple: _0 r2 H0 [& |" b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& I! o( C, U" W9 ~8 E# @0 W
WinNT) with the CreateFileA API.
# G0 S* y5 b1 L0 U9 s' m! f# e# z: t" Q# S$ i2 C- |
Here is a sample (checking for 'SICE'):
! U6 Y4 O9 ^4 T# _' U$ O- y4 o
BOOL IsSoftIce95Loaded()1 m: ^$ x9 w4 W* H o% k8 ^3 g8 @
{
9 n2 b& M1 h w- G" u) g HANDLE hFile;
# |- }* `+ H* o' C$ K; _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ ]" e7 m( y$ U" C0 Y- y FILE_SHARE_READ | FILE_SHARE_WRITE,' q7 e! ^, Z9 b8 m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# s7 `/ R8 ?: D* Z if( hFile != INVALID_HANDLE_VALUE )
1 ]6 |5 |+ ?( g, g0 b O" C; o {; C; I" j' r+ @9 b3 j4 _7 }. [
CloseHandle(hFile);
3 K0 Q9 v* U8 Q' A' U, A; B return TRUE;
, C8 j! t5 V! o9 S }
' d7 h' L* M1 }; w1 T n return FALSE;1 D" M, _3 J- c6 j
}& ~9 C; P; f& H& F
. c7 A5 v2 l0 [Although this trick calls the CreateFileA function, don't even expect to be
6 w9 O0 F2 O! b+ X1 x7 C6 table to intercept it by installing a IFS hook: it will not work, no way!) m- P* Z. t+ b- A7 M% ?" N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 }. J1 r/ |3 B& Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 e- `* A1 c* O% z3 @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 @+ @# ~! m+ ~* `$ S$ }field.9 r) o, d4 p& y7 e6 G. D
In fact, its purpose is not to load/unload VxDs but only to send a
, i7 V1 L( r9 Z. g* [; j' JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
k: Z7 i L+ i7 _8 ~) Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
* Y6 |9 l9 l. ^. O4 y: {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
D. l, O! x3 R% s' Q. NIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 s: B0 k5 k2 K: }2 l: eits handle to be opened and then, will be detected.
6 u- ~" ?) G8 U. vYou can check that simply by hooking Winice.exe control proc entry point
* D& C t1 F) Ewhile running MeltICE.
3 ~5 W# C# ~" h: r6 k, S9 C
$ s( a) [" W+ I4 C4 M
$ F, ?- s0 v0 W0 i1 @$ f& u 00401067: push 00402025 ; \\.\SICE
5 b; x6 K4 f) h 0040106C: call CreateFileA5 I& E# R/ h! `5 w f+ p
00401071: cmp eax,-001
1 j" @0 c1 O! X+ e V3 {5 T 00401074: je 004010917 G8 { Z$ a9 D! e) q7 D
" [. ^( t! e1 Y* m& p' e" X
- S1 {' h9 A/ PThere could be hundreds of BPX you could use to detect this trick.
; v2 ~! h, D; O$ V) _# g7 f-The most classical one is:0 d" U1 M+ ~+ M l p l
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ z9 t3 H# j+ ~4 x! P
*(esp->4+4)=='NTIC'
2 E. l# r3 d& H4 u1 x# |% y* Q! I; N- J: a+ `1 f+ M! ?3 f
-The most exotic ones (could be very slooooow :-(
4 j& a' l1 i" |4 D: | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( B& q t' M S5 v( B( L, o5 @ ;will break 3 times :-(
8 z7 |. `/ y) ^ z- |7 m% I/ D
4 e" r" Z) d5 @6 c% p5 b-or (a bit) faster: . W5 E% E4 h0 M! z9 r, g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, C* V, Q2 W. ^5 d8 w1 N& v a8 F" B& l1 ~+ o7 {. \" W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " ~; T, Y0 ~: M# W
;will break 3 times :-(
9 p/ f2 \9 p2 k `3 S3 W* \
: W+ G. I1 j; p' V-Much faster:" B+ K7 G, P x( _+ w4 |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! C o" I( v7 k+ v7 J% T. R+ R
+ O+ ?7 A C6 i0 ^# T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ |0 F' E8 x* H5 I4 e/ G; T; qfunction to do the same job:
3 E( }5 T/ ]1 b, k
" E& m/ w( |2 ]/ t push 00 ; OF_READ7 W: l$ |5 v; `
mov eax,[00656634] ; '\\.\SICE',0
/ K0 C, } A2 j; x0 y2 { push eax
5 U; n5 y( \; S% f call KERNEL32!_lopen2 s; z# p; u1 h3 C; I. e
inc eax8 f! [' N" U/ K' J3 h% v
jnz 00650589 ; detected9 ~& c# L4 W% F9 L0 g' y
push 00 ; OF_READ
: h8 Z8 P* J) h, G0 `' H2 b mov eax,[00656638] ; '\\.\SICE'9 m7 Y% C7 J# R/ r7 c4 v
push eax
* h. h# n9 B: {+ t( ? call KERNEL32!_lopen
4 P! J1 R4 n5 u$ ] inc eax
, j* n# L6 o2 x; w jz 006505ae ; not detected
! d: c" B* D) z" w% F9 G V9 Q& `1 Z3 o t1 R
. Q9 @% y7 o; I. H' }4 Z__________________________________________________________________________0 w' f4 D# ?. c& @ e! a' ?
( g+ d; W/ ?+ R; P4 l" u; ZMethod 12
. o9 Q$ Y4 q4 m+ A5 K=========
6 n! ^' h0 _! m" \# t6 n8 X d) ^. ]/ F! g
This trick is similar to int41h/4fh Debugger installation check (code 05% O7 r4 i+ C& l8 P0 C
& 06) but very limited because it's only available for Win95/98 (not NT)4 S2 i* R! ~$ R. V" P8 a0 @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 F8 ~1 M) x, W9 H5 G3 u
8 l( j/ ~: ?& `1 o# `4 _
push 0000004fh ; function 4fh5 y/ N6 K8 f5 R* n
push 002a002ah ; high word specifies which VxD (VWIN32)
- ~9 ^1 z( ]5 {- K5 z! y e" T ; low word specifies which service6 }9 N7 J5 j- y2 N
(VWIN32_Int41Dispatch)
" t- |* S1 F2 Y0 [; C, z* W- `( _ call Kernel32!ORD_001 ; VxdCall
5 d5 \7 i( b. e' P) ~ cmp ax, 0f386h ; magic number returned by system debuggers
( f0 I, f- Z$ _ r. G8 {6 K jz SoftICE_detected3 n, ^1 `" P+ w. l
9 f- h: k- Q" ~Here again, several ways to detect it:
- N, F* o) K U2 ^1 [1 H" o# n; V1 `5 E1 j
BPINT 41 if ax==4f2 t, F6 t( m0 J8 y. |+ d3 ^
/ I' G0 G# x' K# d8 l5 i( K# w4 G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* W, L* t0 o0 G7 B3 F0 H+ V% A3 A, n, U7 V5 U% b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
G9 i! \/ C- l& O B/ Y9 v+ n! j) P& ^# d( S
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' I* T/ w0 ]' ?" a
+ Y9 |! e H5 W! M__________________________________________________________________________( x# } t, m: ^* _6 l' ~
) V' N* ^8 ?$ B# [. pMethod 132 r# ]3 o- j& _( i- F- i
=========: l }% C; ]5 z8 k
: v+ J/ ~: C! S& K b7 [Not a real method of detection, but a good way to know if SoftICE is
2 a) A5 C3 a' E$ Q7 |9 Iinstalled on a computer and to locate its installation directory.
5 i5 x- J s/ S8 aIt is used by few softs which access the following registry keys (usually #2) :: }( d3 f7 ]# U- `" c5 z: p/ r
. h; Q6 E+ p# a7 x+ t-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; a1 Q7 |% E# c2 Q( e% s6 B* w
\Uninstall\SoftICE
6 }6 d Q/ C5 {" d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 Z2 v3 [" _( P" _9 r( T f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 {$ ^9 }6 o/ P7 l- [6 G
\App Paths\Loader32.Exe, H0 a, D5 x9 t; D( R% H8 e
. P. X1 ` ]! T. h# K8 c7 \
, f9 n( F; N5 R: B5 WNote that some nasty apps could then erase all files from SoftICE directory
. m# q1 L X A( a(I faced that once :-(
) z- k' v. z( u3 O8 }
& {* [* L1 k, ?- C% r: ]Useful breakpoint to detect it:" u7 m8 Y, H0 _4 x5 f
. `9 k5 s8 j" s2 ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' t9 h0 o _: d% ^, z+ {' E5 B
( G7 B& Z0 z1 E7 E! c__________________________________________________________________________. g2 D; d& r" @! w. R$ G
% L# w* q' ~0 c& j+ R
, e/ ~& O% `" t7 ?, X) |Method 14
4 m/ X/ W. d+ ~) n/ [5 u/ s=========
# t c- u4 a5 L
& c J7 q3 l. a+ d( {& w. ~6 Q; hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 z$ V- \/ @# t1 O- H
is to determines whether a debugger is running on your system (ring0 only).
+ Q& K3 w" m3 A! U4 I; J; n# N( R& e: q! W% M4 r6 G
VMMCall Test_Debug_Installed
" }6 x* `& g4 R0 }( _- H- t je not_installed8 }# M) R* G* c# d* F: V
4 K# L3 w0 E% j7 P: sThis service just checks a flag.3 T* g( c8 s% U' c* c
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡