<TABLE width=500>
; }. O/ Y. z6 S8 E$ x" ]( ]1 J' _<TBODY>
& J$ e8 P1 a9 J- _<TR>
- n4 w/ @6 @$ T; V3 {( I<TD><PRE>Method 01
) W0 v& n& m' }9 Q. ^$ k=========
0 n9 b' _, [/ Z. s4 U
+ Q* w; @9 A! l; ~- F( TThis method of detection of SoftICE (as well as the following one) is
3 }# m5 h7 Y; V$ [2 Gused by the majority of packers/encryptors found on Internet.8 W6 t4 B8 W* @9 V, p
It seeks the signature of BoundsChecker in SoftICE' m4 N; I* T* h1 ~8 R' Q
) x' P/ @" w3 l- h8 f- A. C
mov ebp, 04243484Bh ; 'BCHK': T( S) w' {- @# G* r+ n3 v
mov ax, 04h
/ H+ U0 r: |7 s: @; p/ c' E M int 3 / V: ^1 j4 E. s p( ? T
cmp al,4
5 X! f8 f; I" y2 z6 x' I+ Y jnz SoftICE_Detected
2 v$ h& ]0 h% {+ j y
% u9 [, _) N }, D+ S3 H! c G___________________________________________________________________________! P" f( ~* x6 v
0 R. ^& H# I" |' e Q* DMethod 02
" i) l# H. Y! d0 i' i+ J; `! j8 X=========
$ `, G1 j4 L$ S Y
; Q1 G6 r1 ~! W' ~( f4 f7 m! U0 E$ DStill a method very much used (perhaps the most frequent one). It is used
2 [- r% i) J D4 \" b" w vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 K7 _- B; e/ X5 g6 D/ B
or execute SoftICE commands.../ X B4 W' J, X$ {! a9 z
It is also used to crash SoftICE and to force it to execute any commands
( l: f e ~. i' N: q$ t(HBOOT...) :-((
9 y- ~( A7 I+ P& a- i$ h4 o8 `+ R" b! ~
3 t" L2 C6 h1 jHere is a quick description:4 X5 b9 _; C6 i8 t) e9 b, ]/ s
-AX = 0910h (Display string in SIce windows)/ f2 i' M; ]1 E. Y# K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 W+ f t( v2 }-AX = 0912h (Get breakpoint infos)
) g. V; r. q. F f" P4 Q" g-AX = 0913h (Set Sice breakpoints)! G( l9 F. B" {4 o
-AX = 0914h (Remove SIce breakoints)
' Z B1 L9 I, i, C6 [" U- t5 P A, q
5 R1 ~" M3 j- V% N2 h9 o4 nEach time you'll meet this trick, you'll see:! W; b. x: [3 q3 ~9 G# v
-SI = 4647h
4 @: N, U+ ]% Y-DI = 4A4Dh
3 N9 K! E |6 gWhich are the 'magic values' used by SoftIce./ x x8 B% w7 K% v9 a$ N6 s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 S3 B6 U* u/ u# c9 z
) ?3 X# O0 u5 p1 KHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 X1 S0 t3 @* f& hEnvelope utility use to protect DOS applications:
0 l% o1 Q$ O5 Q3 W$ n/ D( w: B. v% w; h3 I& Y- H: ~
& N1 H8 }. p9 c8 D( z4C19:0095 MOV AX,0911 ; execute command.
8 o. V7 {7 v- g6 [5 E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( p* j: z. x$ o! C4C19:009A MOV SI,4647 ; 1st magic value.2 x& e* e( m$ N& c9 H
4C19:009D MOV DI,4A4D ; 2nd magic value.$ D& a/ a; a8 C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" z) E7 c* W% K$ f! i, W; a7 u! B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 R+ _/ ?1 s7 { I: I4C19:00A4 INC CX
/ j/ Q5 }+ f* \6 u2 q9 n% R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( M, Q' K. D" [, m! q7 Y
4C19:00A8 JB 0095 ; 6 different commands.: i: p& B ?: Y F" m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 Z1 w; z8 B3 g% x: @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 `& y. a( D" y
1 y* P5 L# |" E+ Y% ^& HThe program will execute 6 different SIce commands located at ds:dx, which
$ K- u" B' e: }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* |, @ ?% z: I2 K
1 g( v# \7 {3 \: L I) J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 K9 G* s) I' I: p$ k___________________________________________________________________________
& P }7 Q1 @3 `5 s1 ~, ]" a! ]
$ {2 y ?' e5 i& g' `0 m# |" M K6 w. d! u) i8 Y
Method 03
* ]$ @4 s. `. |# \9 v8 V7 L=========9 r; K4 i J. S9 ~- g* ]1 n" l
+ {9 T9 C6 }* z* L( P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ r" j4 [+ @! R$ F
(API Get entry point)' `: H8 c; z& m0 I% ~
" u6 s1 O4 o* `6 a/ ^' t
& e7 j- n+ l; e" t8 C/ O xor di,di2 g' p: r/ R1 l9 |
mov es,di
3 z: k1 k0 |: D" d7 N mov ax, 1684h
; A# d9 d d1 m1 Y mov bx, 0202h ; VxD ID of winice
* l% X6 J3 m4 j6 Y int 2Fh( _3 Q& Q6 f6 a; U7 l: k
mov ax, es ; ES:DI -> VxD API entry point. y9 }& _' K1 U: P; f
add ax, di3 O" x& M% q6 v( Q+ Z" v; q; G, C
test ax,ax
, a+ C* {# q/ Z* n. u: z jnz SoftICE_Detected
4 ~+ M' n4 D6 [# Q* P# \! t+ u3 m) H! \1 ~; G* g9 W" n( H( T
___________________________________________________________________________
& _. i( i4 ]/ \( B$ v1 d
/ ~' B! S& j/ ?' j6 m0 NMethod 040 i7 ^2 O. x; H; k1 s
=========4 ^1 Z* b# c( T
; r, k% @- T, Q, j
Method identical to the preceding one except that it seeks the ID of SoftICE
5 |. A9 l: h: Q4 \, _3 lGFX VxD.
" r; [7 _9 @9 X2 W8 G) I1 }, s; [3 t9 u4 t7 P
xor di,di2 V- t2 R t# z; I9 i
mov es,di
- O0 E. W* n. n( j* f mov ax, 1684h 6 O/ r" e( d5 M- G
mov bx, 7a5Fh ; VxD ID of SIWVID- M4 e6 s& ~+ i
int 2fh& w" z: O2 m9 x1 |8 o9 \- E
mov ax, es ; ES:DI -> VxD API entry point
+ B6 m- o, m- V0 {9 H add ax, di
) [: o- V8 T# v6 j test ax,ax
0 r- g8 }; c. d6 k jnz SoftICE_Detected
8 c M' j% p" J/ ]1 g1 V: r5 S, g$ |+ M0 D
__________________________________________________________________________
& e/ s( J0 @% E( Q$ c' X- j$ G9 l9 e; {% f" @7 l
8 s0 ^$ j$ f* u0 X4 U zMethod 05
( t2 n! ~& B0 P=========8 \/ h; b! B+ Y3 E
+ U& A0 [: e' q' D. K( pMethod seeking the 'magic number' 0F386h returned (in ax) by all system) M V# J, b: S/ j. U4 _
debugger. It calls the int 41h, function 4Fh.; w2 B; f; M3 ~1 V+ J/ |: c5 Z6 U
There are several alternatives.
2 ?4 N& ?0 m2 M. T/ G& Q0 [- z) e- B4 v# N( L4 x, }3 }
The following one is the simplest:- i b( ]( A$ z% x" m( \: |- e
% [; n2 X) a5 D% ~2 Z
mov ax,4fh
4 e; P+ V5 m+ x1 [8 j: v1 s0 n% _ int 41h7 N1 [4 Q4 Q' ^
cmp ax, 0F386# T: i, `2 g3 E; \
jz SoftICE_detected
& t9 f+ ?& U+ J$ {0 h8 `
H2 _, |- a- @- S$ z9 {9 p1 ?# g) A; j; m
Next method as well as the following one are 2 examples from Stone's
1 x! R/ t; U( u0 a0 A8 S) }"stn-wid.zip" (www.cracking.net):/ J/ T' i" J8 n' q" ]3 R' F
8 P! \( T+ |9 m2 y% K: F1 R mov bx, cs
; W' k" E) J2 ]! h3 w$ h lea dx, int41handler2, z- }8 Y! [( H3 @% E$ `/ d4 b
xchg dx, es:[41h*4]
# B3 w6 u+ M; ?. F& \% f xchg bx, es:[41h*4+2]! G5 v% k1 G" ?* X0 k
mov ax,4fh
0 |, [3 f% E( k int 41h4 E$ Z; S. G1 i; h+ r! S
xchg dx, es:[41h*4]1 W( f" W& _1 o3 N& T
xchg bx, es:[41h*4+2]
i9 J9 [, ^ n6 r5 Y5 I cmp ax, 0f386h$ U, b, M7 j/ F- C
jz SoftICE_detected
5 c+ ^" C$ S1 b
# p% `2 w6 [( D5 g7 [int41handler2 PROC
9 g! ]9 w, ~2 ^/ P, g) x iret" b8 r3 w9 w) z ]! s: b
int41handler2 ENDP. A6 ]2 o0 I- f) d
8 y" r; [: O2 x
2 b$ H- }7 {7 P x% n- k_________________________________________________________________________
0 J% Y2 R# f; K$ s+ [( X2 \: p
3 L' ^: m" X. a0 j$ E6 {& [
3 s9 ^9 t5 F6 h( r; \1 NMethod 06: h5 ?$ z' [7 B z( b% y
=========
. K& C. O5 K! ~1 H$ j8 p9 r( k8 ?7 L% \' S' P% H- H0 N& X
2 }0 B* e. [& B! `. x
2nd method similar to the preceding one but more difficult to detect:$ z: a8 O1 W3 j' c# A) ^
; I/ m+ ^$ F: {! m0 f/ D9 F
, k; ?5 x& K0 jint41handler PROC
) j" X0 n$ _: O9 s6 W- T# c8 G mov cl,al2 I% _, n' R( m+ r+ o+ c. o
iret
3 C7 j; y, U: b0 K- J/ W5 Nint41handler ENDP0 S0 f) ^/ W9 z# E3 r d: ^- I
3 b. W' R9 M5 F5 ]3 Q0 r# \
' @! u- P( p. T% m' ]& O xor ax,ax
, Q& R% u& D0 e; |! J mov es,ax
$ q! R6 \4 I v- [& X+ L7 @$ K/ g mov bx, cs+ a2 i: |- \6 m9 U/ c8 p
lea dx, int41handler
; H% _6 N- {1 d6 V, e4 R; t; S( J xchg dx, es:[41h*4]
* d' v7 e8 o3 M; k8 R% L* C+ I5 C xchg bx, es:[41h*4+2]) {! n% Z% C0 y. W
in al, 40h4 E4 E# G) r8 s* j6 C* Y
xor cx,cx
- p9 N: J0 i2 I- c" z5 D int 41h4 q1 T- N t- e) s3 u) D9 d
xchg dx, es:[41h*4]
9 s# ^! N% E7 [ xchg bx, es:[41h*4+2]6 m, z W; |. C, I3 l5 q5 f4 O
cmp cl,al, n @% M$ \; |+ X0 b
jnz SoftICE_detected8 Q( k% Z' u: @! g8 R
! a& V; T' D3 P_________________________________________________________________________
3 E& ?2 v3 M: l# G' P$ V# z T$ I/ i
Method 07
% n+ V0 H s) `" j( A8 s=========4 B) ] W# u. z! H& a
7 |9 z1 Q* I1 ?2 V F% c
Method of detection of the WinICE handler in the int68h (V86)& D4 V6 b& ~8 i7 e; @* \3 ]
* g4 H6 P: D& C/ B8 A. S/ }$ i1 N8 I mov ah,43h
! E0 ?- @' ^; H6 f6 m# s- c* u$ r int 68h! ? b- t3 p9 R# R- j
cmp ax,0F386h
! ~ d! L6 Z5 ^. j jz SoftICE_Detected
: L7 n" O' K# D* M, w; E9 b N+ c+ ^4 O
- _- N% y; ^+ p& a, o( w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 Y* y* R7 Q. G' a6 ^" O$ a
app like this:/ E1 ?7 Q* Y2 ~
2 d1 M' J8 K- m2 \7 C: ^( ^1 h BPX exec_int if ax==68. O3 r* X5 ~) D2 u- K
(function called is located at byte ptr [ebp+1Dh] and client eip is+ e; B* g" Z# g( Q( \- ` Z
located at [ebp+48h] for 32Bit apps)6 {$ F& i# E0 @* Q4 R
__________________________________________________________________________1 T1 W* ?6 b" `+ g9 C: e2 i' U' f" A
5 f: c7 `" I" W+ {0 m
" k% P* n$ T9 K2 G8 \" k* ]) Z! zMethod 08
, l: W5 l% `( o5 ^=========
3 K5 y5 ^4 \& i( J8 h! ^# l& j5 |. j, y
It is not a method of detection of SoftICE but a possibility to crash the
0 v- F% {5 o6 _4 x1 Z, Ksystem by intercepting int 01h and int 03h and redirecting them to another
1 @) z. ^% f& g0 n' A1 _8 Broutine.
' o3 w3 t+ B6 i+ W7 eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ S3 P/ K2 ~5 B2 a
to the new routine to execute (hangs computer...)
2 N9 m, Y) }+ X/ o6 E2 w' K1 A+ l: N) U% R/ {4 [4 }
mov ah, 25h% l5 N' ^, ^& R- d6 w
mov al, Int_Number (01h or 03h)
( F5 k0 q, Q% H% O! y' | mov dx, offset New_Int_Routine+ V5 T4 `# q9 T) M1 L3 l& N
int 21h
# [3 o( v$ Z5 R' A7 R( y2 T2 I/ Y9 k% a+ F" A# r& M, K
__________________________________________________________________________
( y! q9 |5 r4 d* N
8 T4 E1 }- Y. ]: q4 d3 i9 OMethod 09
9 _0 a; g- N9 v4 T7 T# U=========
* l ?+ d& I% P, R5 P& c+ F1 l
' i3 o5 }# v: Y! s) V; G: zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 P. W/ n1 e& C# h+ kperformed in ring0 (VxD or a ring3 app using the VxdCall).$ Z/ b) Y/ A/ E6 \0 y
The Get_DDB service is used to determine whether or not a VxD is installed p. S! \: B3 I
for the specified device and returns a Device Description Block (in ecx) for/ J7 _2 ~( {9 @# I3 |8 W
that device if it is installed.4 R4 d! |2 x, F
5 K8 A2 y6 O! }" l- G1 q; F6 V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- C9 B, V7 @+ K4 ?6 w* ?
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& N9 z0 h# n4 A9 ?4 O$ |
VMMCall Get_DDB- U/ [0 _9 i) B2 D0 K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" z) m' l2 g. e" V: k @$ ?0 q9 q! T% s7 K, B" `/ v
Note as well that you can easily detect this method with SoftICE:
. M! `9 Y* @& u& P$ ? bpx Get_DDB if ax==0202 || ax==7a5fh
- {* @* @2 ^$ \# P! ?" c. |' C5 `' [& i5 |+ |
__________________________________________________________________________6 Q( V! I! n6 ~* i( i3 U
7 ^4 ?, K# h7 w2 Z' Y: B
Method 10
2 C! I) {: i" Y9 E M \=========
, t9 W8 v" S" W" M8 D" [1 e* H
7 r2 Z* |, k/ }+ k5 ^=>Disable or clear breakpoints before using this feature. DO NOT trace with
- O0 t4 e* N* ^0 ?; _ SoftICE while the option is enable!!+ V! r" K3 m5 v' H: A- i
, G }2 b5 t& x+ Q5 P$ G
This trick is very efficient:$ ~' H. Q# N6 ]# h; H
by checking the Debug Registers, you can detect if SoftICE is loaded
* G( J- f$ d# h9 f) m/ F( o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! ~0 o* O* z7 t9 J8 vthere are some memory breakpoints set (dr0 to dr3) simply by reading their4 E1 n. Y; H! i$ s1 w; }8 d; q
value (in ring0 only). Values can be manipulated and or changed as well0 j" ]+ v6 e+ h) F& ?3 x l8 q% B4 {
(clearing BPMs for instance)
1 u$ F& L- J. i6 E4 p/ d7 L! J) D3 p y* ^0 `
__________________________________________________________________________4 {" H' W. J1 h5 G! l6 p1 i
r" w" S. \. w( b8 TMethod 11
7 M- E6 d6 ^% h# k, Q7 U& p/ _=========
" X. @( V- [* n' ?# g& ^. y
x5 C2 S) B; hThis method is most known as 'MeltICE' because it has been freely distributed9 |8 y0 o( y4 S& [
via www.winfiles.com. However it was first used by NuMega people to allow
5 l% Z% O" z( V9 a8 Q: q( XSymbol Loader to check if SoftICE was active or not (the code is located
! Q k& g* l% F+ x' D: i/ o8 y1 f( linside nmtrans.dll).1 [ X) h: Q! c
# h: w4 a/ b) D( jThe way it works is very simple:; \; D9 ]. O! j% t$ q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% ? E& Q; w6 b& ?WinNT) with the CreateFileA API.
. ?( R5 R8 ^, r* R! u0 q
" v$ r. {0 }6 b) m( X8 yHere is a sample (checking for 'SICE'):7 _# ~" t! ~+ r9 {' z0 j
/ {3 l+ y- L% A% u( _BOOL IsSoftIce95Loaded()2 s' }: o3 D9 U2 L4 I2 E
{' s2 L$ p$ f7 p: }
HANDLE hFile;
& v7 h5 \. `8 U# Y; B3 |- T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" v; o8 s4 \8 k" z FILE_SHARE_READ | FILE_SHARE_WRITE,
}) |4 O3 U B: m @) H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 L0 P4 A: J; Q3 x# g9 A! L
if( hFile != INVALID_HANDLE_VALUE )
4 f, b8 J6 ?% o( K. l {4 o5 K$ q5 e' W& J N
CloseHandle(hFile);
5 D1 ?! R7 b5 T" a! {* V return TRUE;
7 n( \4 v9 G9 E! }$ J6 j; s4 `" ] }
! p# ^7 v, Z6 W) w* } return FALSE;( u1 U- M! d7 z9 k& k* C
}
% m0 \8 Q* j0 T/ ]0 |0 ]# t9 v+ o0 ]1 o8 ?! t3 V, `. |, |
Although this trick calls the CreateFileA function, don't even expect to be8 k( n& t/ D$ @2 ^6 b( T7 D
able to intercept it by installing a IFS hook: it will not work, no way!
2 d& n" g: A- t IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" A8 u* K+ |7 h$ Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
G, w9 n5 S T9 _% Band then browse the DDB list until it find the VxD and its DDB_Control_Proc8 V( r. { i2 K+ D5 q* z; O1 S
field., _/ |, v3 A7 x* E2 z
In fact, its purpose is not to load/unload VxDs but only to send a ]" T$ H/ o* d. W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ r# R/ X3 j0 c% Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 g. [4 J Q- ]8 d: |# Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
% B/ ^4 d" @0 {2 G$ \. BIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 J0 Z3 T/ D* o
its handle to be opened and then, will be detected.
, P( B+ I" L$ m( _8 WYou can check that simply by hooking Winice.exe control proc entry point
0 p; p$ v, V' M+ _! _5 twhile running MeltICE.: I6 Y0 K7 n# ^, J) z& ]- C- P% B
6 L5 x$ g3 z* _& E; |! W6 `2 R
% H2 D J) G9 D$ i7 b( r) b% x( b 00401067: push 00402025 ; \\.\SICE
8 x x0 G' w1 M+ J: _( S; T' ^, b, j 0040106C: call CreateFileA
( [$ O3 o: W' Y+ G* g$ B# W 00401071: cmp eax,-001
0 i" z# w6 Z$ _/ G7 R/ w& W 00401074: je 00401091
' [5 Y# H- @! h' @
% |( O7 Z5 b. H2 L0 e& a K' u! R1 G3 a
There could be hundreds of BPX you could use to detect this trick., R, _1 @+ ] E' k2 J1 k. M2 a1 M
-The most classical one is:
/ [/ `+ ]( C- F9 j3 D# n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# `4 }2 O6 N- i+ W5 R: ^ *(esp->4+4)=='NTIC' F9 E) ]- |) ^( D3 w
5 U3 D1 M% G) q o-The most exotic ones (could be very slooooow :-(
0 f" b7 ~& I- r; |1 B, R# _: R BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + Z- w* `0 a3 p4 g9 d
;will break 3 times :-(8 q; O$ j0 \& K# ^1 d
% Z$ V6 }( i+ H" [-or (a bit) faster: , ]3 D- f6 [% a$ k, g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 F+ k6 d9 }4 R2 p7 q4 W% r6 x2 R1 @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; x7 C4 w2 g$ U9 @$ `/ B* _
;will break 3 times :-(, V0 {; o' b1 Z1 Q$ M l* T
w4 W) ~9 ]6 z0 J
-Much faster:! {5 t7 F& H8 i! p! @, t# `) v6 A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( l9 O" `/ {8 u+ T5 I Z3 g5 i4 T" A! A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: L: I7 Q4 {6 Q9 R& [9 ]
function to do the same job:
7 b/ e: O) v1 _- U& f0 P
' G; I* ]" H4 p push 00 ; OF_READ
& a/ Q) K, A/ a' n! x' I mov eax,[00656634] ; '\\.\SICE',0
3 |" B) W+ U8 j; r push eax- A- g* y" \3 C8 d. d, Z1 }; F& y
call KERNEL32!_lopen0 _$ S/ V" h4 d: D( z2 f: p
inc eax0 p3 n- |$ J6 Y: N* [
jnz 00650589 ; detected, |8 {7 J* J; B3 d1 m5 ^
push 00 ; OF_READ
3 m+ r5 K, a i1 Y; n' K0 G- U. d# q" [ mov eax,[00656638] ; '\\.\SICE'! z) `7 C- L! O. `
push eax- q* \8 }/ d6 B
call KERNEL32!_lopen
6 t4 G- H) v$ t3 u inc eax
3 L1 r4 S% \1 S4 R( j jz 006505ae ; not detected
F7 m. E, f6 g& F% Q7 {1 G5 f8 _7 ~4 S% d6 K, h; p2 |
2 n; M( b# D# t, K
__________________________________________________________________________
1 W& {( Z( D9 r' D6 M, R
9 O" z4 ?2 ~* w6 AMethod 12
% F( |: z5 K% w6 w( [: K=========3 P* J7 f; [/ M) x" R$ j
& h( n4 g! [; C) R
This trick is similar to int41h/4fh Debugger installation check (code 05
* k- d1 \ `$ K6 f* ^! g8 M& 06) but very limited because it's only available for Win95/98 (not NT)! K6 [# O; e2 d V& S7 q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) b/ E; C2 P# M2 Y0 {9 e+ g' P" l
, e* A) `2 H* Z: s push 0000004fh ; function 4fh, `, u3 ~. {3 N& p$ L- D, m2 {
push 002a002ah ; high word specifies which VxD (VWIN32)
: q @( g) L( R T0 _ ; low word specifies which service" @: ^ Q5 H+ h
(VWIN32_Int41Dispatch)
: |% M$ Q6 p+ a& d9 s% C: Q! b" S( h3 Z call Kernel32!ORD_001 ; VxdCall
/ z6 J/ L1 d+ E1 @ ~ cmp ax, 0f386h ; magic number returned by system debuggers/ g- n& r( X3 U) m
jz SoftICE_detected: k/ Y, B! r `( c& L r
& x1 M/ B3 w0 QHere again, several ways to detect it:
+ w0 ^: f0 N+ u y" V; I. X. I
2 T" x1 ~( n, \7 V BPINT 41 if ax==4f& L/ E. y- d) b _9 T
' @+ |) a$ w* ~" B- b+ r z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. O- Z/ N& T. f) F _" n& V
: _$ M5 b0 M8 m: N* l$ h& {3 t; l" K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; A; f' O" u4 ?
5 U4 i. i" a, Q, L$ P* K2 l& N# g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 v- g' E" F7 I. G
, m1 q; R: w3 n- g3 c__________________________________________________________________________
2 t1 ], R2 q0 e. A
6 V, P1 {7 f% O' S5 E4 `+ MMethod 13* M/ R2 V5 d( f- Q; A3 `
=========
, k; D3 x) L. B9 K
& _5 [ ?3 N; b7 u/ L ~! ?Not a real method of detection, but a good way to know if SoftICE is
! q4 H2 a T4 t& a! g9 l! Kinstalled on a computer and to locate its installation directory.
1 s. H! g6 X) e6 zIt is used by few softs which access the following registry keys (usually #2) :
8 p9 m1 r( p- U( L2 V; D' Z! t" O# [- u# g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 [- e( I9 I" v7 ]* C$ h
\Uninstall\SoftICE
: v) R4 k/ g, n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ g+ ]% B r- t% ~# \. w3 r4 @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 ]9 x2 f! j( m8 B3 p4 F\App Paths\Loader32.Exe
; q/ f! u1 v3 o$ {# W4 H; Z/ i4 _7 w5 I% J
2 B. ^- q- F" @3 r* w4 |Note that some nasty apps could then erase all files from SoftICE directory, M, H# X" l" j+ R# r. X! T/ F
(I faced that once :-(
1 m, j( N5 \& e* ^: D6 X% s/ k& p' p
Useful breakpoint to detect it:5 E% `8 R t9 v/ d% G0 p
2 ]" d! L: D. x* B P5 `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* r' g: r& r: S( L/ I6 b+ ~
# b& X* u/ ~3 E T( `4 a/ ?6 ~
__________________________________________________________________________
; k- s2 j9 e+ ^0 J9 j8 F
2 d* ?* u q6 S, X# C ^0 l2 W' ^- n5 h
Method 14 - }# ~! g" E: s) s% L7 A0 T
=========* m, g2 |, G) x1 `6 C
; ~5 A& b7 [( u' O& N% j, d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 { D$ e- a' H/ Lis to determines whether a debugger is running on your system (ring0 only).
0 T! t, v \+ k1 f! z1 h2 `# G; S5 L! b" D, _4 h9 y2 Y: i
VMMCall Test_Debug_Installed
, I+ b' C5 ~8 A( J" T3 d je not_installed0 _: F. e! O7 t7 l& y
3 ~- k" [, T+ X$ ?! S
This service just checks a flag.) w I9 _3 E' E+ n$ H3 w
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡