<TABLE width=500>& a: s4 w: a$ Y0 i A1 {+ o( p
<TBODY>
/ d* D, f& V: y8 @<TR>2 N( `# H7 d" U, z5 v
<TD><PRE>Method 01 0 Q3 V, c. r+ k, S/ e3 S0 n
=========
% ?3 g# F% u9 |5 b. _0 P2 u) I& L" M, s: v K" v7 U( k: v. y! f% p
This method of detection of SoftICE (as well as the following one) is8 f$ @2 z4 ?9 Z7 K) ]
used by the majority of packers/encryptors found on Internet.
6 V+ e6 x' T- b% P- o0 @It seeks the signature of BoundsChecker in SoftICE6 B" j p) ^) R) g* y; D
& H$ X7 h, p* A) r
mov ebp, 04243484Bh ; 'BCHK'+ p9 m4 e7 b8 f; A; _' z
mov ax, 04h
& P0 ^1 r$ p' D" A int 3 8 V0 D9 W& C' X, ^0 o9 U& d" h( C$ G1 N
cmp al,4
! P# p1 v. r$ |7 Y8 i jnz SoftICE_Detected
' i3 l* R t5 O' y% H* q4 [" r1 W. t9 ~( S0 ?, [
___________________________________________________________________________
. ^+ A; J5 W% m9 k+ L3 l/ Z
8 V9 h/ C$ r. A/ ~$ L. hMethod 02
1 w/ T0 [( [, B5 L) q=========- N4 u8 Y2 A9 f5 P' I2 e$ l1 Z
/ K3 s: E' _# l6 ]% xStill a method very much used (perhaps the most frequent one). It is used
5 N1 h3 c; x- \* \/ ~' z+ Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 G4 V E( j! O5 G5 H! eor execute SoftICE commands...
& R3 q( A4 \3 E% H- zIt is also used to crash SoftICE and to force it to execute any commands% |7 a# g2 u, z& M4 e9 Q( A6 Q
(HBOOT...) :-((
5 j: {. t& P/ U0 I2 J. I
2 g4 e6 ~1 j& c4 HHere is a quick description:4 }: |$ R7 \ j' G& u' P
-AX = 0910h (Display string in SIce windows). {( [% I! ] x W" P4 `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- G: u! ?8 }) {/ G8 G8 b-AX = 0912h (Get breakpoint infos)
9 t' L% x' G; E/ o ?' Y) k-AX = 0913h (Set Sice breakpoints)
9 h5 B* a9 K3 O# I( k-AX = 0914h (Remove SIce breakoints)' \, W0 I \/ Y z3 `0 O9 P: c
# ?6 W- o9 c! g9 z
Each time you'll meet this trick, you'll see:# ^) e4 J- {# ^5 y& u0 ?. E
-SI = 4647h
6 P1 N+ h3 u/ t7 H( L+ c& a* v-DI = 4A4Dh
; c. ?5 P) u0 ~* p T8 s( _' iWhich are the 'magic values' used by SoftIce.
* g! w" |* B/ \For more informations, see "Ralf Brown Interrupt list" chapter int 03h., _+ E: W7 N5 i0 F
% A. w; a0 d3 X0 z- ^, k3 ^- M; \
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 S4 N$ E. p( i5 Y$ c
Envelope utility use to protect DOS applications:3 }. j# H6 y( L" ?
+ G& ]% }: m& D
& P7 s: j: ^/ \* T6 W5 N4C19:0095 MOV AX,0911 ; execute command.
$ n! o+ ^, m+ ^' R" J0 E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: M$ }& ]& w% Z/ l* M4C19:009A MOV SI,4647 ; 1st magic value.0 x. |. f) {- w6 o. \+ y: ~
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 f# {: @+ W) w4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ q3 S" k: M4 o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 n$ {5 j. }# b t4 t
4C19:00A4 INC CX
5 x( l, z5 r1 [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; K+ }9 l$ M: e) G ~& X4C19:00A8 JB 0095 ; 6 different commands.
* S1 j% d% c! I, t0 G4C19:00AA JMP 0002 ; Bad_Guy jmp back.# S4 M) O$ J2 ~8 l3 m0 O. e
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( C2 q, Y7 U! ?$ n( a, B! ]" A1 [# \: Z! D! \! ^& c
The program will execute 6 different SIce commands located at ds:dx, which
; Z8 Q. G, |. e# ]1 [1 }7 j8 nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, p* n; x7 K4 y1 y0 q" L/ P1 L8 {1 f1 u. R9 d3 V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 n6 [% {- f; J9 X" @7 D5 V___________________________________________________________________________
' g2 R+ S* q: _5 c4 _, q' o5 N; o7 L7 d6 e) j' u! D7 o3 L! `! z7 w
3 X! W; [9 s$ J% U% gMethod 038 k# V; \+ C8 Y9 q$ J
=========
$ ^, |- F' L; D$ j- X
; \0 x8 W1 m& X* R) L7 V% k: Q6 OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 }3 C( \" u3 \7 `+ F
(API Get entry point)
( L# ]" {& g$ [ Z
: `& j' P- S! O- b, U8 Y
% ?! C# ^- Q' O$ M0 X xor di,di/ k& x! X u8 P2 u' f- {
mov es,di( J9 Q/ E' [- k7 ^) h, ^' b) S
mov ax, 1684h 3 j# ~' y" b; D( T
mov bx, 0202h ; VxD ID of winice
J( M5 Z$ F6 n- F" N. k# C int 2Fh0 v7 Z9 s D. l7 m, p! |* g
mov ax, es ; ES:DI -> VxD API entry point" j7 |. n3 F; R* ]0 [( p9 [
add ax, di1 ~/ a, c" A5 g; O+ D) V
test ax,ax
+ C3 x# g) E$ F9 D0 m* R jnz SoftICE_Detected
# l% S0 I; D5 H. F6 v* {# g; y- E9 k% X/ B8 o! N9 F3 f$ F
___________________________________________________________________________
% K0 x. f7 d2 z: G3 i/ @' |% ?
3 e* ^0 Y2 I/ z; {% c- \Method 04
! l0 L: t" o4 P, ~6 e=========
, d$ l1 Y& C: ?/ n6 [
2 N/ J0 A: f1 fMethod identical to the preceding one except that it seeks the ID of SoftICE) W5 f! r/ K3 @# H" l# ]
GFX VxD.
* c; u& a8 N+ E8 s% A; M3 O1 P0 Z6 I: X! G( l3 E$ q
xor di,di5 B8 c- E `7 @) ]' _. L6 h' a0 i- u
mov es,di
) Q5 {& @. J3 x1 Y# W. F mov ax, 1684h 5 {; J% Z& S) U! k
mov bx, 7a5Fh ; VxD ID of SIWVID( G* \9 g5 Z+ ]: i4 b7 R8 U
int 2fh: |2 ~/ w9 I( C
mov ax, es ; ES:DI -> VxD API entry point, ?5 x, ^" f* [/ W& Z H: {8 F
add ax, di" H% k$ y+ ^+ A+ e
test ax,ax- `# S0 v4 K/ [/ w( D) s
jnz SoftICE_Detected
" _/ t: r. Q2 F& l2 J
\% B: V+ Y$ V7 o' ^__________________________________________________________________________: L% ^5 E# U+ R9 }
0 k/ t( k# I! F4 T: ~7 n6 h! V9 t! C$ k
Method 05+ [% ^: z" Z8 y! p
=========
" s, @7 I6 Z3 Z% `" p! p- j4 s) t
Method seeking the 'magic number' 0F386h returned (in ax) by all system' h3 j' X* v# A7 X5 q+ |; Y1 @
debugger. It calls the int 41h, function 4Fh.3 Z/ u. R6 E9 {# S$ P. }8 Y$ Y
There are several alternatives. 5 e7 x, A8 Z @% q. R3 D
; I6 F* w8 ^4 k: O# _* G+ F# M
The following one is the simplest:. d) |, d. Y$ }6 U5 _
/ d: Y$ l, H: H/ \ mov ax,4fh& T8 X7 z, \' B7 S
int 41h1 i0 _5 A x4 G
cmp ax, 0F386
) B. E2 Y8 r* y% F0 a: f jz SoftICE_detected
4 B3 M) i, m3 `. o; P4 T% a) }6 c$ ^& u2 I D' d$ g
$ |( @3 z$ h, C( e: a4 X5 BNext method as well as the following one are 2 examples from Stone's & L$ E0 |% ?5 j3 @3 _% Y$ l9 W/ U
"stn-wid.zip" (www.cracking.net):
7 J6 F9 f8 B+ R! {+ T T
* l4 e+ e+ z0 R( o* P mov bx, cs
( o& r4 {3 S1 {: d* S: Y% T2 R% m" t3 U lea dx, int41handler2
3 }% [ w) G) Q$ U& i# c xchg dx, es:[41h*4], ^& O( {% e* N0 @
xchg bx, es:[41h*4+2]3 J# J1 C* @0 ~& O
mov ax,4fh& T0 v- g, D1 w0 p# a+ l$ r
int 41h( n# {. Q" t. M# V/ @/ @$ s# N
xchg dx, es:[41h*4]
; T& l# e6 V$ A7 E `, F+ U' p xchg bx, es:[41h*4+2]5 E& J- ~4 y+ w( Q' S
cmp ax, 0f386h
) F/ P3 D0 S, ^3 C0 m jz SoftICE_detected
0 n- z' I7 c* _. Y( H* a @
. }5 N- \) F1 o4 @- A4 ]) _int41handler2 PROC0 B- C& j; O8 _( }
iret+ b! r- z6 @) v
int41handler2 ENDP
1 ` W1 K5 _: |' w+ a' B9 p: v& a9 k* X- o$ c4 v2 @6 Z; X: c2 G
+ T6 l$ g* s+ r) U_________________________________________________________________________
3 l8 A2 M3 @6 l: ]# ?- ?8 W0 z# v G: p
2 p1 O/ Q( J" b( j0 g) q/ G7 W1 T
Method 069 z2 e( K5 m/ {
=========' k3 V. N7 x9 R+ L, {
# J* x0 g+ ?6 K' _
4 _+ K: N y2 U% Z4 u. }& Q2 \2nd method similar to the preceding one but more difficult to detect:& j* L. N+ ?( w% z
; Y" `* a( Z; |5 n& y: G" [! u' F4 h& g( Z
int41handler PROC1 K% k% k1 u& L5 }3 b
mov cl,al6 `; r4 B3 x3 r0 B2 I j- ?
iret4 h' N! `+ h B( d2 v3 u
int41handler ENDP
' n# K- w7 n3 Q4 U8 n7 r
, |7 L4 T2 b- B z% E) |$ H5 c3 u$ c; k I( J8 C4 N/ h
xor ax,ax7 U' }# s- x: g# Z; t+ e9 w0 w
mov es,ax9 q. O; d) x- D; L7 q& r1 H
mov bx, cs
7 C1 w. P* u9 T lea dx, int41handler
- ^4 f: i. ^& Z! u. i3 a" k xchg dx, es:[41h*4]
: e' K7 |2 {& Y- W& c/ H( R xchg bx, es:[41h*4+2]
/ a: B i) U: @4 @ in al, 40h
' C; a# H. _( _5 N+ F xor cx,cx
1 l0 R3 r1 b" r- x% j int 41h
, }! Q p- y& v7 p! a xchg dx, es:[41h*4]4 Q* _8 p* z0 p' \% W2 p! Y3 {' g
xchg bx, es:[41h*4+2]$ Y T$ L5 f. X0 X+ V
cmp cl,al
: P% S! C1 j6 W3 K# A( T jnz SoftICE_detected
5 H3 r. i Q; A$ B8 B- f5 R
1 L2 v! Y# }! g: l_________________________________________________________________________
, ^( X5 ?4 a( n: U. _% y6 E
. c- Y' l! b, b1 i/ YMethod 07
. r6 Z# x4 u$ a! X- L' a/ m4 x. E=========
+ Z/ f' ]5 [3 D- u
) Y& Z" U+ \! j) r5 ~/ BMethod of detection of the WinICE handler in the int68h (V86)
% ]6 l6 l$ W* u* ~. O
0 l {5 u# z: l5 ? mov ah,43h- Z% y2 v6 a* H1 }. J N& z
int 68h' D" U- k3 [' i3 D8 N; W. x
cmp ax,0F386h( _: o1 o) a: O6 B" O- y7 Q
jz SoftICE_Detected; q+ B+ k" g4 v) b- w q
& m8 g% f C% y$ M# ?8 p
. I2 W7 m" I9 b2 H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ M" B' A4 t' z) g
app like this:& M8 w8 Q& _+ o X; T5 ^0 j1 h
- Z; \: }/ F0 E* b BPX exec_int if ax==68
2 k$ J/ m t/ F# |! d& b H (function called is located at byte ptr [ebp+1Dh] and client eip is
9 t! [* h" k! T+ a4 ~ located at [ebp+48h] for 32Bit apps)
9 U+ h, S/ s3 V' B2 b0 S; M! d__________________________________________________________________________
7 e8 a, W; d9 d2 y4 c7 F+ D
% E3 K1 A2 {7 r3 T5 b& |0 v/ |6 M4 e9 m9 H) j3 R
Method 08
9 W* t6 j t6 x% d" k& I+ a=========
3 y: _7 W# x S, J+ f& G& Y6 _9 L1 j, l
It is not a method of detection of SoftICE but a possibility to crash the
: ~& ] f" |7 X7 bsystem by intercepting int 01h and int 03h and redirecting them to another m5 }! m5 J6 K
routine.
B6 M: e$ H- G- y' y4 g/ ~9 y! mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% K" v. O) Y) ~: \5 wto the new routine to execute (hangs computer...)* k7 u% x4 U" G- F; p# c% o
0 y) x, W1 n" J. e0 c1 c2 a3 k mov ah, 25h
4 ]1 `4 }$ G. @+ `/ b mov al, Int_Number (01h or 03h)
) {( r6 G, Q# I0 n. H mov dx, offset New_Int_Routine( ?! {. H3 z$ X* |8 ?& U1 j T
int 21h: @: x4 o3 z2 B9 a
! `/ z) |7 T0 T9 G__________________________________________________________________________
8 Z/ G9 Z+ g ]2 ?8 } Q- C% m& @7 E/ L
Method 09) g$ q0 O4 [, |: U4 v
=========
* k( ^2 F7 J" b5 P# Y* k& C% g V# a; v R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) j4 A% y1 [8 w
performed in ring0 (VxD or a ring3 app using the VxdCall).+ t7 U( L' L: T' i
The Get_DDB service is used to determine whether or not a VxD is installed
$ r3 Z, R/ `! t, s2 ]for the specified device and returns a Device Description Block (in ecx) for7 F) H+ d% x% C1 E& H3 p
that device if it is installed.* z# L3 L: \! |/ a
+ Q" t3 _0 q, c7 j: K& k6 b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. ~( D+ s* F! b; W8 @) S* k! v2 i% ?5 G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# s2 n9 Z4 l' ?' h6 M
VMMCall Get_DDB
5 y# d$ z6 U2 v1 Y8 q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 O- d6 Q/ v: E7 `2 ~# Y& q
# ^% E, V# b! p) a$ {: V
Note as well that you can easily detect this method with SoftICE:
6 Q* y3 d# B6 y, g bpx Get_DDB if ax==0202 || ax==7a5fh( A2 ~* |2 q) H1 D& ?9 }
8 |5 M% ]3 B |% N__________________________________________________________________________
1 c! K! F5 A7 v0 Z( a6 U# A9 W' b) C {/ n
Method 101 A- w) O; z6 g! e
=========" _: r/ f) ]: R5 A( u
: W% _' t3 b u+ s
=>Disable or clear breakpoints before using this feature. DO NOT trace with; A# B/ t6 D ?0 z0 J H2 L
SoftICE while the option is enable!!
! R# g \. t! o# S: A7 U( u2 H8 j% S1 t9 V* Y. d
This trick is very efficient:
! e: m# H6 V6 ?" n3 v; h% M3 Q Pby checking the Debug Registers, you can detect if SoftICE is loaded
1 H2 x2 e5 p! B- o, ](dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" }7 d: f e3 S, i4 e/ v: n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* v# Y7 Q4 W4 r8 pvalue (in ring0 only). Values can be manipulated and or changed as well! B( K8 l+ U0 }, j# j- R1 f
(clearing BPMs for instance), e$ ^3 Q7 v: j, {% p
6 b$ \' a, f) E8 W
__________________________________________________________________________1 L% m: }& w) m: n
6 d1 } r8 q0 v& a0 u S
Method 11
9 u7 [0 H1 \7 |7 l u========= b# V7 X+ U/ K ~- I3 [* [* c
- I, `/ j' q* NThis method is most known as 'MeltICE' because it has been freely distributed; A. l' b5 X% v! T0 O' O
via www.winfiles.com. However it was first used by NuMega people to allow5 Z" d2 A. k6 j' I+ N
Symbol Loader to check if SoftICE was active or not (the code is located
0 R6 E7 V; m$ G- x9 A$ q& Zinside nmtrans.dll).3 d& x- m+ a, f2 Y) I' n) R
; p4 l9 o, ^$ C7 o" u2 D# a# ^; ^The way it works is very simple:' H2 H2 ?) o* X" P6 p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# Z7 q" t6 Y, j% @# E1 VWinNT) with the CreateFileA API.
+ K5 O- t I6 i4 i3 O6 D( N0 r1 @1 }: O# g) A2 P( H
Here is a sample (checking for 'SICE'):
0 r2 l8 K3 i' W8 D7 Q
" ?" R: k) f% A" `) ?. A# N! mBOOL IsSoftIce95Loaded()# z& {# \* h1 j) L l! J9 p0 g1 R! e
{' D. F2 X8 ?/ x. j+ x( A
HANDLE hFile;
* r/ p% w# B B7 {1 e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
x7 j0 t: ~2 V! a# e FILE_SHARE_READ | FILE_SHARE_WRITE,7 `+ L; Y0 k9 f) `% v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( \* N& ]5 ~; S; m* m# v6 m. U* f if( hFile != INVALID_HANDLE_VALUE )9 T# t! K( D- q: F8 x+ z" G
{
# ?8 C6 H$ ]2 Y6 D$ z CloseHandle(hFile);
/ _3 g) H: n4 V2 O9 ~; }0 y1 @) V: o return TRUE;7 ?+ N, W% m/ I. K* g. b2 V9 w7 @
}/ w5 k7 R2 r; i
return FALSE;2 Z' }3 e' l" I0 I/ Q* V# i+ u1 V
}0 {8 a- k3 d" G/ @, N1 X
- k" P s! ~: p2 n! I* m+ O7 PAlthough this trick calls the CreateFileA function, don't even expect to be6 T! J, b9 q X- P. H
able to intercept it by installing a IFS hook: it will not work, no way!
( O/ r7 P7 _) a5 B. G8 P7 X* EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, I9 o5 U' [4 x9 y" m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- [. G6 Y1 l# E5 Q/ v1 o6 ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 l n2 X& a; G& R' U8 Lfield.
) b( ]0 b2 v; [0 b rIn fact, its purpose is not to load/unload VxDs but only to send a
6 _: R! U4 q' S) aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) z# o( G4 ? a/ y/ B% d
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 H1 n) f1 H( L$ H( @, K( L& U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 [$ Y7 z' F" I. EIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 V" O8 q% f$ z2 F
its handle to be opened and then, will be detected.3 B2 i/ O! A9 l: h6 d
You can check that simply by hooking Winice.exe control proc entry point+ Z5 ^$ j+ n7 J H7 T2 y/ B1 U
while running MeltICE.
$ _( r+ X9 M! T/ F9 D' I2 d% {% r' k* @" h& h9 D! \5 t7 f4 I
! ]! }2 m. k$ D9 ~3 C
00401067: push 00402025 ; \\.\SICE' y( A: `8 Y8 b6 L! g
0040106C: call CreateFileA
: e T; e `! T) L: `0 E 00401071: cmp eax,-001% E/ F0 s* [# w6 K& ? X
00401074: je 00401091+ B2 f- N, N$ Z6 f7 l- v
8 N7 T9 R8 R9 U9 h' u
! w! z! N- ?- d3 g% ~5 M
There could be hundreds of BPX you could use to detect this trick., D5 N- E4 K0 l2 O9 t. l% G- D
-The most classical one is:6 |+ ~& n) m; k8 J
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
l9 o( C: R; X *(esp->4+4)=='NTIC'
* u) `- Z2 g$ `. m
1 e+ n( o/ n& a: j: I4 C-The most exotic ones (could be very slooooow :-(
( z# A3 t" M( [& S2 p2 ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 a8 j) E, E4 f1 l3 `8 k) \/ W: O
;will break 3 times :-(6 z2 ~& D8 I" e ^+ ?
3 Q7 E# i7 i* r/ C2 b+ ~6 h; z2 N-or (a bit) faster: , I3 A, B7 s5 _' v' \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
l, [; C& ^7 {! k# K3 U3 z: I" g* x) S! @1 e$ C3 s. J: L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 G# k& h( L7 O0 z( k
;will break 3 times :-(
4 t# R) \8 o- S
) V9 F2 {+ E/ n% J E2 n( v-Much faster:) p0 @# j, [& @; E9 v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& \) `0 _" N$ F/ z T4 ^& G @- l
2 [# S8 h% f+ c3 E1 U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 c) O* Z9 Z; Z$ Hfunction to do the same job:5 q7 N, U, z$ x. G. c2 z' s. N
% M2 L0 S! @ L3 w; e
push 00 ; OF_READ
& \# O7 a* A* e: K9 k# B mov eax,[00656634] ; '\\.\SICE',0, U7 g. u0 o% G2 i3 f+ x/ ?, o) P
push eax
$ F2 y4 a; E- v- i9 ` call KERNEL32!_lopen
* N" D6 F: _2 w; }! f! x inc eax
' |* F. i' j8 D jnz 00650589 ; detected4 d/ d" V) W6 J# |
push 00 ; OF_READ
5 x; b" O' Y; K$ F' S: x mov eax,[00656638] ; '\\.\SICE'! A" d9 _- B! j$ J
push eax2 q; t8 t E3 \$ E2 U+ q4 c$ |1 L, H
call KERNEL32!_lopen9 P$ Q1 V3 Y5 @
inc eax, @1 r3 k8 r0 B% t3 s- i% n A
jz 006505ae ; not detected# G6 [/ J7 f' E. b" x6 g8 _
* f0 R: X h7 R1 a+ }
& c" E0 t' N! h8 @/ I
__________________________________________________________________________2 ^+ m8 \9 S% c# K) T; c
4 F# {+ X' ~7 I0 S5 u3 a2 b
Method 12
, k! }+ D" u/ ?7 ?=========1 a6 c4 h9 M( W y( `
m6 u' v2 e' Q0 ^7 A( j9 k, ]. pThis trick is similar to int41h/4fh Debugger installation check (code 05
; o( h3 V( f$ X8 N5 b& 06) but very limited because it's only available for Win95/98 (not NT)4 P& |' U, \9 E- {0 E, N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 a; d0 b+ ]. W# w
: \! D9 j; @0 }- D2 b push 0000004fh ; function 4fh" c- f7 e' N& y' {0 q
push 002a002ah ; high word specifies which VxD (VWIN32)+ H; D: M1 _6 l2 _% p
; low word specifies which service/ O Z$ M, ?$ ^) l, Q; T; m! _
(VWIN32_Int41Dispatch)
' i6 ^. s( f9 D" T6 \ call Kernel32!ORD_001 ; VxdCall
5 Y s4 G" Z( u: ]$ T8 ~ cmp ax, 0f386h ; magic number returned by system debuggers8 u) |& s* n$ h) d r
jz SoftICE_detected
1 D# y( Q! M8 M) c
1 [, q9 s5 k5 v) e0 u0 l/ k* `" ~Here again, several ways to detect it:, F2 ~, E2 H6 v8 O0 r2 Q, t
$ `7 ?3 I% _& s8 i" b' F6 s BPINT 41 if ax==4f
2 J. \9 e6 v8 d# E7 `) p8 C! l2 y6 O( R# x; A1 O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 e' E- R3 {3 V- i
c1 `* z6 f0 w: N8 {/ B- b BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 a W6 B. V+ n* b' v- x; v4 O
h: X% m( P/ v BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; ?) o1 t0 `- C: O2 u
! d- u. P. k+ P) `! K5 q, W5 T, l% l
__________________________________________________________________________& |" {. \$ @/ g0 P$ t; X
- Y1 f% |' l% E7 T/ QMethod 13' l* h# |. o {3 ^4 h3 ^
=========
/ f+ o E# g& u4 A
% \0 \) M/ \0 ]) v: Y& GNot a real method of detection, but a good way to know if SoftICE is
+ T4 {9 J* J$ U" ainstalled on a computer and to locate its installation directory.) X% ~2 X. M2 v' t
It is used by few softs which access the following registry keys (usually #2) :' L- b ^3 e& l0 i9 V
; W9 j* n7 X) A; K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ I* D6 ?- Y9 V
\Uninstall\SoftICE
# }" o# F! ~" @" `% K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, j: U5 A3 Z! d& Q, c' r: i9 I, K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# u) p: Z. w! ^7 q) K. \, l* n
\App Paths\Loader32.Exe8 g- o! y1 r* j& f8 O
7 J3 V- m1 c/ s. @ K6 X! f# y
/ }; m6 o. ~# Q1 ~3 f: T) gNote that some nasty apps could then erase all files from SoftICE directory3 L% k3 W9 X, p7 ]+ l' ?( v
(I faced that once :-( V. T% U4 r7 {3 ?, R7 R+ N
. G, r2 [+ h+ L1 A5 `0 _; Q4 Z% qUseful breakpoint to detect it:
& V" }5 r- Y. _- @& {" u1 ]8 Z P+ M! I: r
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 N$ Q, t0 A* B4 n* S3 s+ {
" |. u# q' K1 o& d) o$ u__________________________________________________________________________
, p4 m: ]2 Z5 |, _ ^+ q2 o9 C' W
$ D V* T% }/ \, `
Method 14 ( h1 s J, l. q9 W9 }. }6 a, P0 T* R
=========* _. t: R9 W2 W7 l; F
2 ^. L4 _1 |7 k2 N$ h+ AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ U* s4 O `4 x* U/ O
is to determines whether a debugger is running on your system (ring0 only).
, d- _( I* E6 ]$ l7 b N: h- J, l: v
VMMCall Test_Debug_Installed2 x% D5 N2 g$ \! g! g, w
je not_installed
% P2 a" L m2 n4 T/ @
: ]4 a- `6 f0 T6 Q) w* KThis service just checks a flag. A( v; L/ p5 O: _. f
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡