<TABLE width=500>; N* S/ d9 r* V- z! j2 J
<TBODY>( |6 O( ?1 K+ o$ u' J
<TR>
+ R9 o" G5 n& {; T<TD><PRE>Method 01
( J1 r @/ A7 F$ p b4 P8 \=========
) C0 E7 u! Z1 B$ ]0 o5 A
2 K1 ~+ C7 W. o8 F* |This method of detection of SoftICE (as well as the following one) is
: q# K* h# z) {& T/ V$ o) [; Xused by the majority of packers/encryptors found on Internet.
8 J4 K6 o$ j: Q; ZIt seeks the signature of BoundsChecker in SoftICE
; _" `9 S4 x7 |
+ @ Y6 C( a0 q( w. | mov ebp, 04243484Bh ; 'BCHK'5 r+ h- f# N4 l y7 z# |8 V
mov ax, 04h. k3 [* \7 i G# x- \8 O8 l; z! n2 g
int 3 k- q7 _. E+ c& A( I4 B3 ~8 ]
cmp al,41 c2 x) U% b# G" B1 q2 F) J
jnz SoftICE_Detected
: [+ O. R" P% i* }0 G" ~9 ?+ D9 J1 \5 \2 ]9 o; H& l, _
___________________________________________________________________________
) x. t8 F- [% R% @( |0 O2 e9 q
2 R/ G4 h2 h& o+ T$ m MMethod 02: m% b' P: C/ p ?1 i+ Y
=========$ G' N" @8 G$ e# @- _4 R' ^+ T
* o$ V' h3 M5 T8 } m8 b) C5 JStill a method very much used (perhaps the most frequent one). It is used' O% H5 }) w6 |9 V1 R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- k' d! J+ i+ p2 x" S! U; Q8 l) bor execute SoftICE commands...
7 R* ^) S+ l7 R* [0 Q- LIt is also used to crash SoftICE and to force it to execute any commands/ w* V2 \2 E; C2 ]0 r- L# h! n
(HBOOT...) :-((
, U) C/ J. S9 R/ }3 S( e% v! \0 s; W4 l3 ]0 `1 N/ b, C
Here is a quick description:0 @# p" G6 n0 s! S, L5 o7 v
-AX = 0910h (Display string in SIce windows)* U) |& k! P& p! L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) b5 [& v4 L! J; c' q% `/ G7 h-AX = 0912h (Get breakpoint infos)
/ l2 L# C# Y ~: k+ x7 I-AX = 0913h (Set Sice breakpoints)
1 g4 ]9 \! a( \; L: l$ D; D5 w( G-AX = 0914h (Remove SIce breakoints)
: I: |/ n- b8 s$ S! Y) i. Y
) P- b- g# [8 ~1 W0 X" f$ _Each time you'll meet this trick, you'll see:
5 [# \1 t) g8 U4 ^8 m-SI = 4647h2 X4 P" M1 @! \' D/ R8 Q. c6 r
-DI = 4A4Dh
# b9 e6 b+ m! R5 d" dWhich are the 'magic values' used by SoftIce.% }% B! `7 ~, ]4 ? ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. }+ r' [! x/ }
( N1 T& `5 d( h/ G
Here is one example from the file "Haspinst.exe" which is the dongle HASP& _9 u2 R- E s- m% |; `) `
Envelope utility use to protect DOS applications:
5 R7 q/ G$ D( u. m2 D% o4 S: s* ^/ s& H) s
' T2 [. u$ K" L+ b; L, L
4C19:0095 MOV AX,0911 ; execute command.' n" [. a7 e8 x0 x1 U) b
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* _8 q0 _, O9 X2 ^5 z+ k! v& ^! w4C19:009A MOV SI,4647 ; 1st magic value.& N0 y7 E, Q# \2 A" w. b! Y# i
4C19:009D MOV DI,4A4D ; 2nd magic value.. c" D! o' U+ E' f4 F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) \$ I7 E% Z' J4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 m [! w% z8 M0 s
4C19:00A4 INC CX( F3 K( ]; J3 k" m1 ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 z' K' h+ W0 f) v4C19:00A8 JB 0095 ; 6 different commands.' Z' A/ e Y/ U6 J2 s
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% d& \+ Q2 S. Z, q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' Z* W, H" @6 |7 ^0 @$ x; F
8 O$ o. R0 A$ I2 k6 _The program will execute 6 different SIce commands located at ds:dx, which+ }- u" u: j; Y2 `9 @! {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., L) c8 Q4 D; a4 T
V6 B% |9 y3 \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" ]/ g! J! L8 n___________________________________________________________________________
3 a2 h+ Z6 n4 [0 d$ _1 W) B$ t
! X9 a. R# c% q9 A7 W9 Y* R( ^, {. I9 ~. T8 @( s) ]( {! X
Method 03, O9 }) [* e- M4 e& j6 a
=========4 D* c% r2 i- V' i' [& W
1 d5 Q- ]! K! n4 z; f1 T; W8 [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ j, c; K+ K% G: i
(API Get entry point)
# {) [& G( @! M8 N: e6 k7 t
2 X, Z7 n8 W0 i' t
) n6 ~$ h/ j* V# v xor di,di: l) l0 B. t5 p
mov es,di
) @, ~" `: [0 B& O5 Q7 f mov ax, 1684h ' p- N/ x! M- Z3 h. {* W
mov bx, 0202h ; VxD ID of winice
& X( T+ r' w9 o# U* D int 2Fh
/ b! M; m2 H- S5 P# {/ p) f ?0 @* n mov ax, es ; ES:DI -> VxD API entry point
) A3 Q6 C0 S" C) H$ u. z8 `7 I add ax, di9 D' x' K9 N: x- |& Q. L
test ax,ax
+ ?' R9 p% J' S5 e- P0 N% E0 f, E jnz SoftICE_Detected
0 j, [( L, q0 ` u2 _% r+ K1 W2 b* _$ b0 \6 X7 X6 ]
___________________________________________________________________________/ ?2 R7 m: J) l9 k( F" u( h
6 m1 J/ M+ p( F) Z! G$ ZMethod 04( j( ^* k/ N- r
=========' N" f: ~) S: ~" I3 \ o L; ^. Z
# J! x- \ t8 HMethod identical to the preceding one except that it seeks the ID of SoftICE
3 H/ e: c- Q3 h* i; M' a, ~GFX VxD.
5 z! J( `1 z1 d2 s1 h6 B4 t9 b" k y7 s) k2 U- f. n
xor di,di
2 T, D# [# _- a/ w, y( f, t3 }4 H mov es,di0 ^9 H. c1 `7 i+ j; z4 i( T0 n
mov ax, 1684h
8 C$ m9 [. c( _9 C7 S8 d mov bx, 7a5Fh ; VxD ID of SIWVID3 F& S* W# |7 x- J" A
int 2fh
& ^4 {; i V: }/ b% Z* i# |$ K mov ax, es ; ES:DI -> VxD API entry point
% n- o2 V9 \4 K/ F add ax, di
( d; ?5 l; f) @* f test ax,ax
7 H; }, B$ ?! R- C; Q+ g jnz SoftICE_Detected
9 Q- S& m; i2 o" G7 f _0 d7 {
1 h" i, q) ~' z E$ b, d4 g; x__________________________________________________________________________
% V4 N6 `6 C" J% \+ o0 _
7 Z' j8 b3 `; D7 q
* E8 c/ T# q3 ~& R) j3 bMethod 05
! D; y3 t" P9 t4 F=========
8 k' X" l) i' K& i8 x0 @4 l' Y) f9 Z; ?- i3 Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 ?) R8 ~5 _2 ]& g. s- \8 N
debugger. It calls the int 41h, function 4Fh.+ P/ Y4 q' G) K+ l
There are several alternatives.
( I4 ^1 n) r( c! w i
" w. Z/ b5 e. @0 A( a) AThe following one is the simplest:7 G! m6 \8 `* r- ^
) N7 p- P, y P" u/ a9 w; x% Q4 p
mov ax,4fh5 u& m( d$ P2 y( v4 a' D2 ~
int 41h w1 l, x$ t$ Y
cmp ax, 0F3864 c! h( q# E0 }
jz SoftICE_detected5 @1 _! [: k Q" C
! ~, y& O9 }. k6 {
1 _) P' [" [- r$ ]) V
Next method as well as the following one are 2 examples from Stone's
# s" y2 p7 x* p+ o+ W+ \& }! b"stn-wid.zip" (www.cracking.net):
$ f$ G+ z5 }; p& ~0 |$ v0 E3 S
5 s$ Q; O* H: c0 `/ { mov bx, cs3 o$ } I% f8 v3 y: c q3 c; N, @
lea dx, int41handler2, |! a; a0 X$ y( f* I
xchg dx, es:[41h*4]! z. |5 n u+ C. \, Q& @- N9 N2 ?
xchg bx, es:[41h*4+2]6 Y! ?" H% k. Q4 a w
mov ax,4fh; Z' `' p8 ~6 X2 Z, s
int 41h
. G9 C, L9 J' T$ N: c" T xchg dx, es:[41h*4]
4 k7 K" r+ H: D; h xchg bx, es:[41h*4+2]- N, j5 F. L, |3 c/ k
cmp ax, 0f386h2 B3 f/ x* H. y) [ Z2 A
jz SoftICE_detected
" Z2 [! o0 u- V1 P) J
9 r- o) e5 L0 aint41handler2 PROC2 l$ |& n! l @/ u5 j
iret
4 {: a9 l& @! h0 L3 }int41handler2 ENDP: G1 y+ ^- o- Z: x7 R/ L& p
" k( p' p5 }* D$ }! Y1 i3 u7 e3 Q+ {2 n! a3 k; D
_________________________________________________________________________
; q6 {: r. R- c3 L
& ]& o$ I `$ O( d! C X$ H+ P5 D- y3 C+ ^6 Y6 a
Method 069 t0 g. L- N% x3 |/ U+ G
=========
) |( T& S% A, T* s- g L5 T
; B: r! A A$ K0 ` P7 J
) ?- G& C5 [9 Y% Q0 h1 C' U( |* m2nd method similar to the preceding one but more difficult to detect:0 z$ V. h1 q0 u/ g6 I4 @9 T, w- W
: |& x. t2 Q% _4 W3 K. E3 n2 Y+ C
$ n- I7 w( ]6 F i
int41handler PROC
# Y: v0 G! i/ F1 [6 o: D! L mov cl,al8 p6 ~7 F& m0 \3 h
iret7 \0 a$ O5 p6 m) B, J% `$ h
int41handler ENDP
1 \' ^9 D# ?3 O1 n
, E7 D- w3 \+ M: U8 a+ u' e- K" \, M. @9 r# b' q: V: ?4 M
xor ax,ax- X7 ~7 q& s$ D( B$ n( e2 R
mov es,ax
2 k$ ^+ `4 P/ L4 S% `( o$ v1 r mov bx, cs
. E( b# J2 s+ Y% P& n lea dx, int41handler) o1 i% r0 d( U9 j
xchg dx, es:[41h*4]) @/ I* K% O. W7 ]/ F3 n; o" z
xchg bx, es:[41h*4+2]1 T5 u) u% E+ R" m7 ^
in al, 40h
" k' v6 o% z: r( P7 O/ _ xor cx,cx
- M0 P# A5 p: O3 H: ~) `. \ int 41h
+ B$ ^5 k6 P8 I xchg dx, es:[41h*4]# R+ w6 L! v" G3 P
xchg bx, es:[41h*4+2]* ?/ m. [* l' V4 Q& q, J
cmp cl,al! d0 g* q& B) [/ g3 B
jnz SoftICE_detected4 o9 P* J9 M- x
" c) \2 ?2 u- i. @
_________________________________________________________________________
1 E5 p% t$ J9 H" ]% ?1 z0 ]6 d6 m q( x" U: |
Method 073 H" ~) f) V1 Q4 D* |6 Z$ I
=========
: n& X' R' }' j F
% G) S& p8 h% g9 U+ T) QMethod of detection of the WinICE handler in the int68h (V86)
/ W5 ^$ P9 z) T6 ?
1 F+ u5 ~7 P1 j2 I+ Q+ Q mov ah,43h( H) l4 U, b; i1 v5 k! K& i$ P% l
int 68h7 o E, e& ^. p% L( [/ `
cmp ax,0F386h! T S; F, Z- g/ t" w
jz SoftICE_Detected6 ]) n0 `+ z, ~" j0 |
7 a% [! O H) [) n/ x; f x
- R' R% d t1 b3 {, O; g0 R2 t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! `! j( ^/ a" o" r% ` app like this:5 c# j" u# e! |! A. ` q
5 A& O6 z: f$ i/ |6 n2 T: s BPX exec_int if ax==68
4 W: {! p/ t9 r" } (function called is located at byte ptr [ebp+1Dh] and client eip is
& }; Z1 c- T# s located at [ebp+48h] for 32Bit apps)
) J& }0 ~" K* O7 ~, h__________________________________________________________________________4 F# ?! _6 H: n' Y
, T3 s, |% h" e }/ z" m: K
/ q3 I6 k: F) L! E" V7 q- K8 O( MMethod 080 y7 R0 {3 X& g8 Z) E' `( T' \
=========
! m1 s+ q! r: |" K q1 C% q# S% Y
It is not a method of detection of SoftICE but a possibility to crash the
% x9 C/ `- C0 c+ ^system by intercepting int 01h and int 03h and redirecting them to another
. U9 H+ h) y. j$ u( Eroutine.
$ E0 H1 L3 T, W% PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 W {% k( g9 e. g
to the new routine to execute (hangs computer...)
3 B8 F2 h0 L: c, K
) N7 X! {" [( E mov ah, 25h
$ Y: c9 @! R8 |* w! H! s mov al, Int_Number (01h or 03h)
1 _3 P7 g3 K5 ^0 P. @5 N9 g' O& A1 w mov dx, offset New_Int_Routine2 K* g# s$ J$ O6 k( x3 d) T7 @" F3 R
int 21h
7 Q+ S, o6 Z8 m& p2 O) [0 g
) Y! F6 ~ G. Q& R) b& \# p% M+ w( `__________________________________________________________________________
6 o9 w5 a7 e% w; A' C; R7 J
+ ~+ g# A' R1 P* qMethod 091 M7 _5 k0 n/ D; Z
=========
5 s0 r6 a; |: Q9 n2 U, V3 o
# j" @( R d- f+ [7 h9 D$ w& BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only I/ f- @! L3 k& j0 x" R. l" f
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 U, B' X& G4 x5 oThe Get_DDB service is used to determine whether or not a VxD is installed
: R, j$ n2 K6 S: [ ^4 i# r& ^3 jfor the specified device and returns a Device Description Block (in ecx) for
1 x& y& O: m6 ] }that device if it is installed.- s7 K4 U: z: Z" @
3 Z0 U8 Z# e, {3 V8 r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% C% X3 D- d% ]+ j5 j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 L/ P" V& H: y, R `5 ~
VMMCall Get_DDB; m; k% ?1 P, a6 R. w3 j) e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- s, y; \" x8 \; V& ]2 i' R- S5 t+ g
Note as well that you can easily detect this method with SoftICE:6 R8 S9 A5 c. f+ y' f
bpx Get_DDB if ax==0202 || ax==7a5fh9 Y8 ?+ r9 o7 l/ R |
: m' `/ K/ g# u8 b__________________________________________________________________________2 W3 `; g2 j8 k9 E3 X5 s$ G
" B9 z0 G7 F( Z! nMethod 10" }3 Y1 A& R# z! A! v
=========
/ k8 c6 m" j! x" t& x8 }2 l& V+ k3 j# o X9 s5 A. d( Y1 D8 H# i
=>Disable or clear breakpoints before using this feature. DO NOT trace with
L5 y S$ I5 E7 R% s1 ~- Y+ F3 g SoftICE while the option is enable!!; T# L* W3 O* j; T; C8 F
* z6 J* b3 O2 g0 j g/ o2 dThis trick is very efficient:
0 J a5 N$ _$ F' |by checking the Debug Registers, you can detect if SoftICE is loaded9 n* H: ~7 ]* m0 s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( ~" e: T4 C7 A2 M; e
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! m" Q) a# R8 E: w+ `value (in ring0 only). Values can be manipulated and or changed as well2 U2 P' F- ^2 ?$ {
(clearing BPMs for instance)
9 Y y S0 R( y D- b; h. o9 k4 J0 B8 U" K. m) {7 P' l
__________________________________________________________________________$ \! w$ g p ^3 T! e& R
4 e' W# i6 o8 X
Method 11
! j/ r+ g. Y# }3 x3 L# w=========
9 f/ o! K7 \: S/ w: x o5 M! O
& |3 N/ K0 `/ p. FThis method is most known as 'MeltICE' because it has been freely distributed0 N( K, `1 x* z4 c# N7 Q& M
via www.winfiles.com. However it was first used by NuMega people to allow
+ `/ A6 O+ O4 q, L8 XSymbol Loader to check if SoftICE was active or not (the code is located' I4 o# ~; I8 `: L7 `5 X
inside nmtrans.dll).
% R" Z4 @! [! r# I
& m6 `) w! b Z, L PThe way it works is very simple:
; P, j. s. s5 c4 d1 l. sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# T9 k( O+ y( W' GWinNT) with the CreateFileA API.( l' Y+ w! L' F
( y6 z Y8 M) h( {
Here is a sample (checking for 'SICE'):0 @& n8 [: ]9 {; x
2 E, E, C. s' [' g9 i! B QBOOL IsSoftIce95Loaded(). [/ J. x+ A& ]6 [
{
2 n# ^0 |1 V/ G6 h' r2 ^( `; b( q% e HANDLE hFile;
2 F/ J" T9 ]% [: u hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" e' V. g* _. y. {( j1 {1 h FILE_SHARE_READ | FILE_SHARE_WRITE,
8 C1 t `( J `% d1 B- E NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 c& b4 R5 b R; k: e( t0 A if( hFile != INVALID_HANDLE_VALUE )
. j/ D( O) ^0 }; D( E; u {# i/ ?* i) i$ I! X' Z$ l, j/ e
CloseHandle(hFile);
+ _% V3 o/ }# a return TRUE;
6 M! J: p5 x3 `8 n* P4 o, H }( r8 B1 `- c/ V- u% ?
return FALSE;
4 {: _& O z! _5 G9 k$ p% y9 X}
$ u7 t% v. ]6 r6 D# |6 F1 R! Z" d) r
) ~, [' w3 t" [& W! `Although this trick calls the CreateFileA function, don't even expect to be
0 ?/ F/ ?6 j- m2 i2 o; V( F3 ?able to intercept it by installing a IFS hook: it will not work, no way!1 I1 J' c7 R! ^( z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ J2 ~4 f" Z$ w1 m) S8 p
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); |9 Z, V" m3 E: m+ L" Q6 _: \& X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; a( F, M* B& x/ w W: P* Z
field.
3 b1 @& f* P9 q4 ]4 fIn fact, its purpose is not to load/unload VxDs but only to send a
' U+ }! w* @4 L! mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 A1 N2 _" |# ]4 e/ Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ A Z! C* A8 z) s! U1 ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 x R0 T/ y5 H' d' ^! q: H( ]+ H3 g6 LIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 K3 b1 P6 r2 Cits handle to be opened and then, will be detected.9 @! ^, I% L2 [! F8 ~
You can check that simply by hooking Winice.exe control proc entry point
; A8 P# q- y; V7 Z. Owhile running MeltICE.5 `& J8 s% S, ?! S/ b0 @( C
! f/ I0 c# o1 \+ K* E; \8 J
' w" N8 A/ U* b, D 00401067: push 00402025 ; \\.\SICE# b( I# c2 f W! m8 ~8 l5 i( j
0040106C: call CreateFileA$ u1 E8 G! J$ S! C/ E
00401071: cmp eax,-001
! ^ j4 u n1 a 00401074: je 00401091
5 P8 B# \6 j# d
\$ w% c8 n3 T( z5 F& t- ^2 V8 b: f# o- A* B5 q5 Z
There could be hundreds of BPX you could use to detect this trick.
2 w# ^4 J# I1 n, p0 g-The most classical one is:
' E* e& j& H" `; b% D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! l( t! \7 ^8 y; a2 F6 c *(esp->4+4)=='NTIC'
( W: E. Z: ?: h0 x& r5 b, Q
8 r0 B: t" q+ h0 O+ v9 r, j$ `6 y-The most exotic ones (could be very slooooow :-(0 ~2 ]( k( H9 h& g x5 A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 v) ~! I. G% a# W" E4 r
;will break 3 times :-(' W0 Q0 y$ v- |
/ ?5 K2 g) h1 s
-or (a bit) faster: - e2 b0 p" f0 a. e' ~6 X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! p: b) b+ A) f& {
f: ~8 B3 y& g* T* i5 K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! l7 K3 k* E$ r% p
;will break 3 times :-(
9 O* v" A" D) @( }9 ^: L* {
. `3 I t# W* d2 w9 K3 s-Much faster:/ p4 l* j+ y- i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ S8 I& }8 g m8 ^& l! y
) {, u( P) z1 D X4 h% X. |8 yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 p2 ]: F0 ^& G) V% x( ifunction to do the same job:
. b; ~0 l f* [1 y1 [. j
: D+ y: i$ O5 U( O7 d; f" S push 00 ; OF_READ0 s* k4 K! C* O- l! q. T
mov eax,[00656634] ; '\\.\SICE',01 w0 ~9 b, ]5 P9 S. E, G. I4 \
push eax
7 n9 f! D- H9 a" f: s call KERNEL32!_lopen
. @! J. A* T. ^" |' d; t; z inc eax
3 o1 z- e* Z) N jnz 00650589 ; detected/ f6 q3 P% z! ~8 Z7 ^0 u$ N9 ?
push 00 ; OF_READ, F3 q3 M: d! [; x
mov eax,[00656638] ; '\\.\SICE'
1 S) g3 ^5 d, Q% F+ J7 w* z push eax
2 {+ t/ s4 ^* {5 n3 k# `, C2 N- ? call KERNEL32!_lopen
1 x8 N; B' g" G( G. T' j inc eax
5 [! D3 F; e2 O6 o/ u$ k jz 006505ae ; not detected! u: r2 I! }9 ~" w5 T& Z, E
# N4 U, C7 v$ T8 J
" o0 L( O2 X$ b' V7 Y
__________________________________________________________________________) }" F. B$ D s" D
- Z% U5 V. v8 P! k9 }) |5 ?Method 12
/ i8 V% {' \2 K=========4 n/ N1 B+ j1 }: H
6 ~4 d, _( m, U# e$ A
This trick is similar to int41h/4fh Debugger installation check (code 05
! i- k# i* U v& 06) but very limited because it's only available for Win95/98 (not NT)% \$ m& r5 A# L& r5 q- J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; o! g5 b! X1 ?. l* |" n9 z$ `2 o' \0 e( z5 }% w) g
push 0000004fh ; function 4fh) V( G9 D5 Z* g4 I+ J: ~
push 002a002ah ; high word specifies which VxD (VWIN32)% w4 q; `& B2 |8 I! T( c, {" x
; low word specifies which service9 I" B8 z: y7 z* L1 m
(VWIN32_Int41Dispatch)
# R6 M2 Z, Z3 p call Kernel32!ORD_001 ; VxdCall
- h0 G9 F9 j4 c: T cmp ax, 0f386h ; magic number returned by system debuggers9 m8 V- R( I# _. M) K
jz SoftICE_detected& l+ r8 w# K4 k1 y( z) B& F
. w5 t+ Y$ B x, G3 D* F- `
Here again, several ways to detect it:
( P) w- b& m6 o* o# J
6 {9 W- N5 c% R- U3 c! L G/ w BPINT 41 if ax==4f
) l4 G/ C g4 |: a- x0 A
& o7 o3 r; e& n2 A$ \; M BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" x1 R/ a, R# c/ {* G/ E! r3 n+ H# }4 v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 n/ v; y ]& a. f: ~! m& b2 J8 a: H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 f0 D& H( k( |7 P* E6 O$ t- }; R& s0 |
__________________________________________________________________________! A! @& x2 l. c+ t3 a
/ k3 N/ k# x8 [( C$ K9 \Method 13
' H7 N4 z, Q' G5 q3 u0 [8 F=========
9 L7 |+ h7 @2 H( Q% Y$ c0 G5 y- b
; V* y, P$ i' {) P, i4 UNot a real method of detection, but a good way to know if SoftICE is6 L) p' b$ f' Q: B
installed on a computer and to locate its installation directory.
( m, `& _' m2 l a2 O# ^/ xIt is used by few softs which access the following registry keys (usually #2) :5 p _( l9 R( `3 c/ l8 W3 P
$ ?: c. |0 C4 B1 Z' W6 Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 R1 ?+ g9 O1 {. S" z8 a\Uninstall\SoftICE y5 E$ x$ U+ W8 C, ~- b0 U5 R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 v O' S3 T" b; \/ C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" r: i# w( c9 Z1 v- c+ W' }3 x) K\App Paths\Loader32.Exe" \5 B4 e; K; ]% ]* S$ @
7 I2 Q$ C5 n! b
5 _6 p8 ^, j* U$ n0 p
Note that some nasty apps could then erase all files from SoftICE directory
3 N8 w. _7 C6 _* O0 x(I faced that once :-(3 k, w) Q8 {+ `9 A
& I! x. p% A( Y# P% N+ r( C5 n. RUseful breakpoint to detect it:
/ m5 D7 x; o4 A! V) I, x w
+ g- g) G4 v8 W( Q; g: f8 U9 l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' [. s7 Q! U) P7 Q9 ?& Y
2 i9 n" m% `1 O! S9 }__________________________________________________________________________
4 M& r1 R7 \* [& b' i* X) o! q: A( K5 d( z! R7 l7 B
) N" R4 u a) r& B7 R/ L/ ZMethod 14 ) U2 m/ Q) c/ l4 C. y
=========, V6 J) ^ j$ O- F4 e5 H( I1 {
4 |; t# ?& H0 ^! t6 ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 G N; m* q+ J/ ?( ~, a! v! [2 K1 t( bis to determines whether a debugger is running on your system (ring0 only).
/ \0 [1 b5 I4 Y) T# S7 F+ i) }4 V
VMMCall Test_Debug_Installed
6 Q7 A( U! a Q) D2 n% S7 N je not_installed
" ?- `6 G4 i, u* l/ N2 b
6 l$ r: o* X: y) J: `This service just checks a flag.
I- h. N: o. r( P3 T' N( T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡