<TABLE width=500>& Y8 l$ ?* W+ k: Z4 }: N+ g
<TBODY>
4 p2 k) E$ U5 e; O% ^ u# Q8 c: `<TR>
) t" M: W7 L8 V& |; g<TD><PRE>Method 01 ) j' |" a- _0 V! \% f# k. i
=========
1 p7 y, o% Q& P9 c' W+ Z5 {( }2 R
$ b! a0 {# |) P+ l4 bThis method of detection of SoftICE (as well as the following one) is
9 R# U( M2 ]$ V6 b+ a( B' Xused by the majority of packers/encryptors found on Internet.0 b: y3 l1 h2 M; J
It seeks the signature of BoundsChecker in SoftICE
6 q3 O, O6 U# `1 c* p @3 p, ?, G6 B$ X( | s2 e- ?; {
mov ebp, 04243484Bh ; 'BCHK'& y, x" |7 H& C. B" i+ J
mov ax, 04h8 T' t/ \' P8 W! r
int 3
* g8 @& V2 S6 |: [- c1 I7 _ cmp al,4' c' L: @* j% y5 i. h% R
jnz SoftICE_Detected. v" j1 p0 @: A7 n2 p7 @" P$ t3 p
, d' A* T$ ~$ K6 U( P7 J
___________________________________________________________________________# @. t5 b3 t4 K% ?8 W6 d
5 g# k9 q f" o; h( e% h oMethod 02
" F/ ]3 F) y% d1 p. {% u* Y=========. c& C2 _( K, I
1 W9 R6 s" @& T: _4 T
Still a method very much used (perhaps the most frequent one). It is used
' e3 `: e, g+ ?; F3 ~- ?1 l" @! Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' E `1 X1 Q; S8 O/ h3 r2 |8 t
or execute SoftICE commands...; ]0 f) d" q3 h3 J7 I
It is also used to crash SoftICE and to force it to execute any commands
5 P) M" N3 S2 m+ H* O' O" d(HBOOT...) :-(( 0 {% i% a! o4 I
, h! |4 W5 t! I- h, N3 [! Q3 RHere is a quick description:5 I) P& h: }; x# t
-AX = 0910h (Display string in SIce windows)
2 C' ^% w5 C4 a) a) u0 v- \, h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 e! Z& W- E) G# j* |, e% _-AX = 0912h (Get breakpoint infos)' p# K' R' u( X6 r ~
-AX = 0913h (Set Sice breakpoints)
' f! L) k6 E6 e-AX = 0914h (Remove SIce breakoints)
3 b" c# e2 o. O3 d! @- b6 i P6 E+ o( k( M: e
Each time you'll meet this trick, you'll see:# J$ F$ e. f- e# H4 H
-SI = 4647h F, Y$ A3 P- m1 R! t2 c
-DI = 4A4Dh+ z0 B7 b# I& h* i" W) a( Y
Which are the 'magic values' used by SoftIce.6 q% {- ~* m- O! Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 T5 ?, W# T+ |, C# z* H+ q) Q3 t' l7 s/ l% Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
`* ?! A6 S6 e. r: U: BEnvelope utility use to protect DOS applications:+ L; |9 y6 s I: d, f# q4 d
2 o: J5 }) a# {3 R# p3 J. i0 j) b0 D! ^1 g
4C19:0095 MOV AX,0911 ; execute command.
# {' l* E& v, x( ]; e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 r( D6 v/ j- s1 v: V# x5 a4C19:009A MOV SI,4647 ; 1st magic value.. {" T: ?: o8 c1 I; d
4C19:009D MOV DI,4A4D ; 2nd magic value.
) w" X. k' P# H: X6 M, ], D E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), Z; j; T8 C- W% L( ?9 w$ X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& Y$ c; |! n! T! A# V( x9 U+ A4C19:00A4 INC CX
: u. T. i- g/ ]1 H5 J7 G0 ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 u$ s3 j$ E4 ^% O
4C19:00A8 JB 0095 ; 6 different commands.
% h9 L4 Z7 H3 n+ @4C19:00AA JMP 0002 ; Bad_Guy jmp back.) ?; o/ B/ M% N* O- L" s% \1 d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. P; k% I& K3 J& a X" Y# [
* Y r; X1 |5 C- X1 q* _The program will execute 6 different SIce commands located at ds:dx, which
- {- E5 t0 s3 e- }; v1 f4 a" Uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 v6 R( u) a" Q& l9 n( S
4 m- A* E7 C3 a) f |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) l4 [$ b7 t2 L___________________________________________________________________________8 d" a& _) C; d7 K
9 [! }" |% \4 s/ S( c5 h, P5 {
! J: n! q& @7 j. W3 G* u- i
Method 03% E4 ] `) Z [7 u
=========% G7 K g2 ^5 C$ C* [# s* d+ ]3 K: C
% Z- k. S5 s3 G o8 N* N# f% r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; `+ c& c; u/ h/ y' S(API Get entry point)9 n( y& s, i2 [7 u8 s
3 A7 |# ]5 G0 e2 O0 V
: r' P3 l5 o |1 I$ w( `$ o% r
xor di,di
( N1 ^7 i4 r! a* ^" a mov es,di
% p+ @9 U0 `8 t9 n/ w- J mov ax, 1684h
* S3 T0 Q2 R% O5 S mov bx, 0202h ; VxD ID of winice: w. |3 M: I" ^2 l+ D# T( n2 b
int 2Fh
6 J* I% f* Z# z% g9 F" O mov ax, es ; ES:DI -> VxD API entry point
" | e8 S# F6 i% [0 m7 @ add ax, di
/ r; o5 ], z3 M9 y2 O test ax,ax
/ j: s4 P% H2 y: ? jnz SoftICE_Detected
6 X) x, `5 }$ e0 D9 J- e+ O
) z$ F Z3 m6 }6 M8 x5 i5 H' U9 f___________________________________________________________________________
[, q8 D# ?4 b, u
; i( v P( H! k! J4 kMethod 04# B9 p/ `: i0 X9 C, [
=========
3 O4 U1 R2 S( Z% |
$ O9 g5 M) {8 _ t: vMethod identical to the preceding one except that it seeks the ID of SoftICE
6 x( D9 H3 o4 f0 tGFX VxD.
* ~$ ? d1 ?' }9 f. A+ Q' m( k! {5 X" Z
xor di,di
" r/ s* o* E' W8 w5 B" k5 H mov es,di/ F/ f2 @8 b$ A4 f; k! `4 t
mov ax, 1684h ; I3 N. Z& \5 M) }1 O
mov bx, 7a5Fh ; VxD ID of SIWVID U2 T1 i( y, B
int 2fh
& o8 V- U5 D0 O7 Q ]/ G mov ax, es ; ES:DI -> VxD API entry point+ O, I/ S6 Z0 d# t& y# }% }. i
add ax, di% Q Z( o5 F. g
test ax,ax0 f, U- _. X) O; G" ?
jnz SoftICE_Detected
. `/ \+ w" U! I; t( E( d% T
# z {7 I! B3 _0 M. C+ H, m__________________________________________________________________________
- K3 |7 R' r3 l% Z) H+ h) `
8 Q- B" ~5 l6 F4 [* C9 i5 {. _# p" m/ y6 H& ]
Method 05
, _+ r& B q, j7 A2 W=========6 ?0 V1 J. v8 K: j( z" T
6 @. V- f4 N; x8 |2 w' \Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 J h% I; ?6 M6 e, Z; fdebugger. It calls the int 41h, function 4Fh.
" t8 K. E9 m, K- ]* z/ m! C: pThere are several alternatives.
& f9 b8 M) ^$ G
: l1 r: V- E- BThe following one is the simplest:0 [ A: V5 w, V5 `
8 {, k1 \3 |6 @3 |7 \$ h, i mov ax,4fh
( V5 s( U9 i+ J3 z8 Z; Y: ^8 `' s int 41h
4 r I2 I5 T7 j cmp ax, 0F386
. C& m, @* i8 K% H, F0 u jz SoftICE_detected
7 M/ U" w# y E+ { R$ q9 v% ~9 c* k
! Z1 U( P# _2 j; n/ B3 kNext method as well as the following one are 2 examples from Stone's
* e. P& {1 C: V3 Z8 G( X"stn-wid.zip" (www.cracking.net):* w( @/ H' T/ P7 K" j
* Q1 a6 L3 |$ i) g; p& r
mov bx, cs
. N# }/ Q$ H8 \; ^+ G7 X lea dx, int41handler2
% D7 {+ g7 e3 L8 E! x xchg dx, es:[41h*4]
0 i0 q% N* a4 p) o xchg bx, es:[41h*4+2]" A. q3 x, l3 T5 ?
mov ax,4fh
( b& ], U* x* A4 F7 U* M5 ] int 41h
- X' o( E$ }" y& ^ xchg dx, es:[41h*4]4 h @ ]2 Y2 @2 y
xchg bx, es:[41h*4+2]
: y: T0 K: @9 i; F cmp ax, 0f386h
3 E& W4 ^5 `! p6 P! B0 ]1 c6 } jz SoftICE_detected' s* L+ i2 g; P& W
1 c2 M0 O7 S9 V. F1 ]int41handler2 PROC
* w5 v3 F. D. v0 K; u+ Q% j6 | iret- h$ L' _2 m, B3 h# p
int41handler2 ENDP
% a& X' K) Y7 m
- @' A/ M7 ?$ q' z7 }, s/ I
6 F+ R: U' Y3 n. v) _$ ~_________________________________________________________________________
6 V! q+ g J; B! e$ Z0 V3 @' W3 J% {, h$ {+ k1 G' m
% \' k" g' H5 d f3 E% X# ^3 ZMethod 06+ d, z/ E4 S- A
=========
. k W% j! Y* {5 o0 [, \ m6 @" Y2 n \7 ^* h! M( X
; o s9 @% `+ p- z* P* T2nd method similar to the preceding one but more difficult to detect:4 f. A, O1 v% o9 q0 N+ J" _
/ D+ j4 v% a+ u" M# u+ l4 y6 T5 x9 n" T9 d. b6 y
int41handler PROC
+ S& K _ }" K) a mov cl,al
' a4 X+ [' [5 R+ D" G iret! I0 x* `+ Y: {3 |- z- P' ^* q) X7 s
int41handler ENDP! P- G' d! y* K8 b
0 @) P% Y2 Q6 o+ D" P$ Q' Z: S
. o! B; [4 ^# o4 M( F xor ax,ax
/ q' U6 [7 W4 u& f5 N5 ~! \. s mov es,ax) j% w9 {9 K4 h, T9 \4 y
mov bx, cs
' o5 U+ Z$ Z$ p7 G9 Y8 ]; l2 {9 q lea dx, int41handler
. |2 {7 l$ I8 ]0 L4 Q* b xchg dx, es:[41h*4]
% g( w. ~. i$ X" @) a xchg bx, es:[41h*4+2]
2 U; w2 T2 M0 f/ \: r in al, 40h
8 N; j: d$ W9 q+ O3 {: _6 T xor cx,cx: n' W0 ^ A: T, b: F8 D) ?
int 41h
3 V5 P' n6 S% f- y9 A xchg dx, es:[41h*4]5 w Y; f; ]) ], H
xchg bx, es:[41h*4+2]5 _8 Z$ [# G" c# I
cmp cl,al
0 y6 _# S; q6 p6 v8 S jnz SoftICE_detected1 j. ^1 G0 k+ ?
) `: i* P: |2 G) \: S/ H_________________________________________________________________________7 |5 K9 V8 N7 C( t$ `# {
9 {7 ?# t+ `5 L9 M7 y
Method 07
2 h2 S( |3 X$ U/ b=========
( V4 D9 {2 P; ?# b% G6 Q
" {7 w1 u0 q0 M# f3 \* V: F% F3 qMethod of detection of the WinICE handler in the int68h (V86)/ h; o# u# {! q# j
" Y; F1 g. S9 n
mov ah,43h
- {: @6 B5 I, m" X int 68h
( ]# D' D& |! V8 L6 _ cmp ax,0F386h H& ]; ^+ q' ~6 I1 M1 p
jz SoftICE_Detected
3 o/ F# n9 i. Y8 ^' m8 g5 N; g/ c+ n# n: L0 D. G
* Q4 l2 j) {/ P T. W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& d- {4 T4 K9 |! M5 _
app like this:- f- C/ K* x% W1 G- o T4 Y+ Y% d/ V
# l1 ^" t" F0 L" Y$ x9 q2 V
BPX exec_int if ax==68
6 _$ D& _: Y ^- g (function called is located at byte ptr [ebp+1Dh] and client eip is
$ R) x u6 @3 }" p: [2 ?! j located at [ebp+48h] for 32Bit apps)
7 A2 Z4 U( a& a x% V, C__________________________________________________________________________
( x9 Z, h- j( E$ l) Q9 }3 C/ @* Z U. L# ^4 g
! L. }0 H4 T. m; t* ?Method 085 i/ y, I9 q9 K! }4 v
=========
- X$ }' S- D# M8 F2 F& |
" k! c0 {$ A0 z, P( f+ m$ UIt is not a method of detection of SoftICE but a possibility to crash the
5 u' t2 T0 x+ s8 vsystem by intercepting int 01h and int 03h and redirecting them to another
% ~; W' u5 I( S! rroutine.
) L4 w9 Q6 O- \8 J. d% j! j! T3 Q. U1 `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% K) R* ?: Y g0 _to the new routine to execute (hangs computer...)
9 `7 \8 x5 I: E0 w) i
" A9 Q% r0 z3 I/ ?) C9 V9 P. V mov ah, 25h, G* e+ E7 y" x8 R9 H4 d9 Y
mov al, Int_Number (01h or 03h)1 r! L! K3 k" [) j3 i
mov dx, offset New_Int_Routine
8 N" v2 n+ K! `1 \, |( Q! N int 21h
, B7 ]8 N" P" {9 b
% g" J9 ] X7 p9 R4 j1 h1 D__________________________________________________________________________+ i3 a/ x+ @8 K/ V: J6 R+ a9 @6 C
7 O5 f3 Q, M' ^6 b2 C) `Method 09& d0 U: o- m) t$ u2 u# j6 P
=========0 q3 k% {6 d5 K' g. I4 \3 G% y. E
$ v2 a1 O; A0 f- q, aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only i }. t- R+ O) p& Y! C
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 ~- F" F2 l+ k) s& w% @The Get_DDB service is used to determine whether or not a VxD is installed8 A, {! a% w9 i1 p
for the specified device and returns a Device Description Block (in ecx) for
# B: d7 ^# \2 Ithat device if it is installed.
3 o7 q9 e1 x& H9 L; @
8 Z4 K0 q1 L& D' k0 m' Q0 s+ c$ J' q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) J( @' `- r5 n' }" T
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); J* @% v$ f, n" \7 Y4 k0 k8 @* A
VMMCall Get_DDB
% |0 ^3 V% h4 e- A& Q' @( U f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" ~7 ?* X4 s0 `- f$ x9 x' c
. l. I% Q2 _& U- j& F4 K! PNote as well that you can easily detect this method with SoftICE:
# ?# }% F% o! a4 l% O9 n, ~3 y bpx Get_DDB if ax==0202 || ax==7a5fh
7 \: r0 z3 Y+ M6 [9 n7 }: @6 s9 t$ P+ S: c5 \0 H' R
__________________________________________________________________________+ X( `+ Y n$ m$ l9 m% b: l
5 U! \5 S- i3 J% sMethod 102 M2 j# b* |! d6 Z7 C$ p$ l3 s' p
=========# y/ P c( G3 y" w
2 n: G* A+ I. Y; S" f7 p Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' {3 z. ~6 z* k; m j# q3 o" L SoftICE while the option is enable!!
# a6 _4 J q% y! a' a- M/ v8 c1 ]
This trick is very efficient:
$ i8 s0 O G( z% q- p9 |by checking the Debug Registers, you can detect if SoftICE is loaded* v- [0 t8 z6 K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' G; U) X+ |' s! y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* @; x6 H, r3 G) k1 \$ f# Z) u' uvalue (in ring0 only). Values can be manipulated and or changed as well" R, b8 P$ x/ K
(clearing BPMs for instance)
: y5 H0 Z% F& l1 l. ?5 \& q {& ]0 X% w. o
__________________________________________________________________________- u9 L) U$ I! J1 v2 d1 B
% f# h- Q. W( D- _! o, a9 @8 R& F
Method 11
; n0 Z8 M( p- A/ i& h========= W$ g/ a1 {4 q
$ v' K; @% B3 e
This method is most known as 'MeltICE' because it has been freely distributed% u: X! @& x, r) }1 `& S
via www.winfiles.com. However it was first used by NuMega people to allow H& A/ S5 K0 v! O X
Symbol Loader to check if SoftICE was active or not (the code is located
/ }$ O6 m; J, ~9 f9 j1 l0 Hinside nmtrans.dll).2 v2 B* P2 W& W
6 z) R* G7 n- C" ~- G# [6 `: iThe way it works is very simple:$ \! P( X9 D" n; I3 Q) G" ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
x/ N* g$ L# ?4 V3 X1 s5 R0 F( FWinNT) with the CreateFileA API.4 M: e, j1 G! c1 p P, D: b
3 {4 o/ d6 @; E7 _7 q
Here is a sample (checking for 'SICE'):
9 s" h" A* F6 D: ?
& ?7 l9 W* O8 h: T. SBOOL IsSoftIce95Loaded()7 N v7 A! }$ T3 G0 S2 L/ P
{
( E" b l* b5 W HANDLE hFile; - H {6 Z9 X4 a! P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 t( H# @$ q# F h FILE_SHARE_READ | FILE_SHARE_WRITE,
- s) n- i1 z# n* z: T0 ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- t" f [: Y! F if( hFile != INVALID_HANDLE_VALUE )8 A4 d1 y7 Y2 [/ v/ K. W* O' j6 x
{
: s) _( j7 R, E/ C6 V X* h CloseHandle(hFile);" U" h7 H2 m: a! W# A
return TRUE;
1 R- y! z& s" N4 P4 E+ H. B }
0 ?/ m+ j; e) t5 x6 _$ [7 G# P/ c return FALSE;) |# S; {2 A1 x
}5 b* r6 q W: W$ E( X+ o
6 b3 P y8 ~5 e1 g6 kAlthough this trick calls the CreateFileA function, don't even expect to be7 @- L/ t, V) a6 s0 d1 q5 _
able to intercept it by installing a IFS hook: it will not work, no way!' v% U% O1 N+ c* k3 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ i& J6 l1 M1 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' p& k% ]' H: f. v% Q% k ?; V
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 F7 p% Z9 C) [
field.6 W; s9 z9 K0 Y8 ^* r
In fact, its purpose is not to load/unload VxDs but only to send a # `+ o8 O. G' l7 w; u& v9 j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( R1 D" c, |% A7 p" {& W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
U/ ~3 X# k* F, [, W- l L5 L1 O7 h1 G: sto load/unload a non-dynamically loadable driver such as SoftICE ;-).! D8 t+ g+ \6 x" ~ O$ g6 o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 t* @/ k& _2 P. w! ^. M' f& f Dits handle to be opened and then, will be detected.) l. m) N& R1 b+ U) ~% r. U
You can check that simply by hooking Winice.exe control proc entry point0 z4 Z: s$ u! q4 V1 b
while running MeltICE.7 h5 y* A4 z) o2 S L# Z3 o
$ V3 n e) V' H G0 @$ x& \
1 }: A- @) r9 _5 A! W 00401067: push 00402025 ; \\.\SICE) R( R0 q$ G2 T# k e! Y
0040106C: call CreateFileA) u! d+ ]$ I- `8 H/ S: o, y, d
00401071: cmp eax,-001' z2 y* ~6 C2 o( |
00401074: je 00401091
) U8 e/ K: ^' \ K+ B1 y- q: [' A( j x5 s( \% N" A6 T: ^
1 ?' M4 B2 w2 N1 ?4 T, TThere could be hundreds of BPX you could use to detect this trick.
# z! ] R; j: G/ ?; g( ]- {# A& i+ W; i-The most classical one is:
) L6 X; J2 T) ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ m; q1 Y7 n$ u8 K- f$ o *(esp->4+4)=='NTIC'; F2 ?- |, l# \1 `* K7 y! b
/ y! u+ P9 N, F9 U3 \: N5 w
-The most exotic ones (could be very slooooow :-(
2 l" q" L; L& @0 G$ S/ C) z! K! b @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 Q, I/ B! A: A ;will break 3 times :-(
/ A! T5 `! x: M: `: A# d. q- h1 d% ^$ O
-or (a bit) faster:
* n' J* N# ^$ Z; X BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. \8 I' @& y8 t$ n$ ?
! q0 `! R9 {' W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- X7 X' h# J5 t, b9 k' H7 p+ A4 j ;will break 3 times :-(1 |5 ?+ m$ W2 m1 a. C
& s9 A+ _& ^: `. M( A
-Much faster:) d5 }$ R+ g8 b* s7 c4 v8 A8 j
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, X* A1 c2 U9 m
$ X' \0 t# A: d: I; u( xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 t1 F9 K2 `" Q1 R' Ifunction to do the same job:
# I( I8 N# W r0 X/ D9 O# R) }( X) x3 O5 {! D1 S- ?; f
push 00 ; OF_READ
5 b9 Y( T/ K4 q4 b) V mov eax,[00656634] ; '\\.\SICE',0+ d. m v9 G( ?/ H$ t
push eax
% ^2 W: T5 C Z9 v l. v- Y call KERNEL32!_lopen z7 ]4 K' J7 S O( I
inc eax6 b0 R$ ^8 Y& D, {7 d
jnz 00650589 ; detected5 C: G8 ^* H9 N
push 00 ; OF_READ. h, l* H+ F/ [
mov eax,[00656638] ; '\\.\SICE'
9 N( J" ~. Q- d5 o! T9 Y2 } push eax
1 V8 [/ c* }1 n/ d" ], [4 G call KERNEL32!_lopen
6 Y& } ~4 ]% U inc eax
( S8 `. u% n. b. o( q jz 006505ae ; not detected+ k. D6 l* q5 P+ v
9 Y3 S3 J! }6 }0 j# p, u+ l
9 \/ I {7 Q- f9 J. v
__________________________________________________________________________) Z8 c( R6 J8 Q+ o; x8 U5 k, }0 `
1 @' j$ y( j6 j4 z( p; V
Method 125 L7 ^# c) B) G, G% r: m
=========' z6 B) r8 ?: k, k1 t! Y' f! ^, M
4 n2 _2 H; V" V" ?
This trick is similar to int41h/4fh Debugger installation check (code 05
6 U7 h6 `; U: t! s& 06) but very limited because it's only available for Win95/98 (not NT)1 t( |8 ? g& w/ A: J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& F) D- k* f6 J9 y9 w1 [
9 {+ h7 x7 W! E ?8 z5 |2 y push 0000004fh ; function 4fh) k0 ?0 C' M4 W( ?) A) [: o, _
push 002a002ah ; high word specifies which VxD (VWIN32)5 A! H1 k' x0 `# N' h" r
; low word specifies which service1 I8 z) q6 z9 W2 S' r, b
(VWIN32_Int41Dispatch)1 O, n* B9 x* m6 E( v/ j
call Kernel32!ORD_001 ; VxdCall; ` F ~# ?- B( {# a
cmp ax, 0f386h ; magic number returned by system debuggers
! ^; s, T; T( [/ o8 ^" m jz SoftICE_detected! c, b; |# v1 `& q4 j9 j0 N3 C0 n$ {
3 w5 O7 [ }) }, v0 g: A
Here again, several ways to detect it:
5 L. Q& z: C8 G1 R' n. h% W+ _: x4 C
BPINT 41 if ax==4f
! k3 {' V2 H9 ], t; r( K9 N! {- ~- E% u3 j
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) _! K" q' y' f/ D! v" O
$ I$ ], C: t- q z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 E- n8 a/ J3 \8 W
) X! s( a( ~) V! J, y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 y0 D0 Z% t7 P: I
3 \ V7 S9 C) X( H6 n! C
__________________________________________________________________________8 m' O: j o5 `5 o9 Y
$ n6 Z* h7 [5 [, M% NMethod 13
+ y! W+ @4 w- D# I: Y# X# f9 [1 Z=========
& e1 ^$ k7 J+ v* I6 _
, @5 h0 k/ O J, M% y3 l2 HNot a real method of detection, but a good way to know if SoftICE is8 j7 F* m/ f; u
installed on a computer and to locate its installation directory.# y8 ]7 j( \' x/ q
It is used by few softs which access the following registry keys (usually #2) :
& `- @5 E- Y2 u3 J& x) T$ i; }* L: M, r1 f) R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 |* L/ c s Q1 c" z\Uninstall\SoftICE5 F: a( [1 a/ m: B, h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 G7 U4 H2 F- T% ?/ J" ?-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; y( r2 ~' t- y$ m' o |\App Paths\Loader32.Exe
; W% ]; ?- x7 |6 ]) u6 ]0 \' X/ Z
. O0 ^% S& v# G9 w: o) p- H U* K3 w
Note that some nasty apps could then erase all files from SoftICE directory* l% J S" D0 H7 M, ~* i& l
(I faced that once :-(: G. n: t- ~" b5 w
5 E, E0 L! A0 }6 E; ~Useful breakpoint to detect it: ]! R# x2 @) r$ I1 _9 u: Q
: Z) T7 a6 C# G% r+ [' O! S/ B9 d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# o5 D; Q0 \" [# Z* I
, \" h6 ]* `: F: _6 g% ~0 l& n! ?0 c
__________________________________________________________________________
. ]+ W; Y( e# j$ ?
! K( r% m. f0 l" s, {$ ~: j6 n; J# h% f
Method 14
# c. ?( g4 u3 w=========
: u ^% W% {' |5 X
! _) f8 ?# O6 C& J6 tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ ?( F: n& f ~( w, H8 _9 _# pis to determines whether a debugger is running on your system (ring0 only).! p$ B4 T: s" D3 F0 ?$ i- {" b
: d2 ~% U& D U( B* U7 s VMMCall Test_Debug_Installed& ]7 O. W+ E i4 @6 Y! F- N
je not_installed
1 k# _% C9 d4 W
" b9 p/ B3 m |5 x9 R3 M% eThis service just checks a flag.
1 g0 r1 k+ C& L/ E</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡