<TABLE width=500>5 K9 m9 O, `) M/ B! _
<TBODY>
1 B0 v G! p' i; @1 w<TR>0 X. R9 i: k3 z1 s: D
<TD><PRE>Method 01 / w T, X5 A) a+ W2 d! c+ i
=========
/ K' `* {; m* B3 n+ {3 Q; h ~! ^9 r' ~- W* W6 U7 [) k3 [3 \2 P
This method of detection of SoftICE (as well as the following one) is& b$ W* Q7 E& a: G& b$ ^" c: t
used by the majority of packers/encryptors found on Internet.
& R6 G$ F$ K yIt seeks the signature of BoundsChecker in SoftICE1 y. F9 ]' J! R
$ I" d" F* m+ f: I# X4 m% n3 e3 V mov ebp, 04243484Bh ; 'BCHK'
8 @- p2 P& M( T8 p8 y9 F; {7 G( g! Y mov ax, 04h
: u5 P1 W+ r N8 r int 3
( ]: z6 x. i( n8 _ cmp al,4+ X( t' g7 o( M8 t& t; d
jnz SoftICE_Detected- I4 H0 x% X4 R# ~
) g% B% c: x r5 r4 V
___________________________________________________________________________! K: b7 O; ]2 b2 K& R3 j
/ V# S+ N! h* oMethod 02
! F' M8 o6 j/ ~========= X: |& C& V6 x( k9 A
1 B: ^+ {. R% L& ZStill a method very much used (perhaps the most frequent one). It is used9 M* t# N, E$ e, L5 Z& {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 s) N+ P8 k7 }% `1 N6 A! T4 R
or execute SoftICE commands...
* u$ g/ m4 [" tIt is also used to crash SoftICE and to force it to execute any commands
) `, L+ C4 e# W5 }(HBOOT...) :-((
9 c4 {3 j9 W6 ` K, y2 i6 g
& A" b+ Z2 A+ s( g) b3 kHere is a quick description:
$ n1 y' Z) r, _$ {. t4 l-AX = 0910h (Display string in SIce windows)4 A4 {8 t8 i5 w l- S6 ?' l1 E$ {" U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ S: q8 g) ~" m! \1 Q. ?
-AX = 0912h (Get breakpoint infos)6 ^6 H3 r* U( z1 O# @3 b" O
-AX = 0913h (Set Sice breakpoints)
# @7 ^% ]2 C! @ ?. a-AX = 0914h (Remove SIce breakoints)/ @- u$ c2 a9 P4 X W. D0 y
- K$ L9 L" f) M
Each time you'll meet this trick, you'll see: O8 ]/ R1 |- T E* D9 }/ F
-SI = 4647h
* G, x4 M0 q+ |$ Q6 S5 x) [-DI = 4A4Dh7 b% J1 b: C4 r) ^7 U0 t
Which are the 'magic values' used by SoftIce.
) R% v. p7 |& P8 V- k: PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; l/ q8 r& y1 k( w. _. S" Q/ z
H% p& _5 `$ _6 z" T
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 e% s. Z! { ?9 ?0 ~
Envelope utility use to protect DOS applications:. \4 f# w- o) y* y/ L
) p, a4 L9 k$ D! m6 j( n0 y: O( C- K7 n) V9 n. W8 G0 s: l
4C19:0095 MOV AX,0911 ; execute command.: [; m, s7 Z3 w3 S6 B8 l- V" w# o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 r, @- M- k9 b9 s! i' [2 [4C19:009A MOV SI,4647 ; 1st magic value.
( b! Z R* ]4 X% d9 ?4C19:009D MOV DI,4A4D ; 2nd magic value.
( G4 e4 _+ o& K) m4 P& h. p" g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ Z9 F9 r+ |. k! ~5 I/ J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) r# I @1 @& M4 `# i' O3 c, E. V
4C19:00A4 INC CX
& e5 P5 h9 o( I+ a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; T3 G- `4 [ j; G- a, s% p4C19:00A8 JB 0095 ; 6 different commands.
! _7 E6 Y8 R4 z J$ E. q3 P& T& u4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 v& e9 x9 [2 u' s8 v' a& m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 v) J9 K5 J) i% A1 r- j( s
& [: S, p; r4 r* s9 }0 }$ k* F4 _
The program will execute 6 different SIce commands located at ds:dx, which1 F0 l( S/ J+ v; k6 l. s( @/ A, w
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 _$ D4 e$ {1 n' L" |2 H l6 ^& Y/ H+ D0 q! _0 }" B- a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 x2 R- m( L9 T___________________________________________________________________________
6 K; n) m s) n L
: x! f3 I2 l0 E% ?4 u
+ V z$ ^ L' p$ f3 d- a* D& }Method 03
* e3 j6 } f& u2 a=========
9 | Q" p3 R& m% Y0 c# c1 ?2 Q2 K( w9 r6 Y1 I9 u3 R2 E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% M9 i$ b- V* i! w; d# t
(API Get entry point)
7 A2 \8 V" X6 j& |" j# R7 E2 W ' b; G/ y% g2 p1 n2 H
" ]0 k, I, z! E' ^1 E xor di,di
. s0 b& z! W; o. O' G& J mov es,di( P; o% X4 O$ |, h! l
mov ax, 1684h
" `1 J' K. a+ D1 E: g mov bx, 0202h ; VxD ID of winice
, N" h/ j" }# N int 2Fh* K4 V# z/ I! W& i M7 \/ s
mov ax, es ; ES:DI -> VxD API entry point
/ h# }9 O! U$ A4 A add ax, di- ?5 W& b& }* Q" |' y( V3 L
test ax,ax! ^, R/ I$ ~1 ]% s7 n( ]6 y9 Q b
jnz SoftICE_Detected
, D: h {1 T, J* U5 [1 Q: e, O$ S* u) D- T/ g) o& c
___________________________________________________________________________
# n# L# }7 ^, x' w& E6 E* X# U1 ]
" G6 ?" x' a2 q/ |: n2 d8 zMethod 04& a; Z; j3 t) J1 |1 G' v. Q
=========
9 f: [, `' `. _4 Z$ a6 @: t* K2 N# v# S9 x5 g, d8 r. t1 H" p
Method identical to the preceding one except that it seeks the ID of SoftICE0 l$ @3 z+ _9 x, ?
GFX VxD.
* U% A# _0 B) [. ^4 q
, O: I# W' r4 f$ Z% Y. f xor di,di% L4 m3 i% V5 F# z- }
mov es,di% j! a1 @& {, o" U/ T1 _
mov ax, 1684h 9 |5 U" F( N* e
mov bx, 7a5Fh ; VxD ID of SIWVID
! P, z! P: {: _( ]2 o* r int 2fh
. b# [$ \1 B+ v: `# I8 x' h, U mov ax, es ; ES:DI -> VxD API entry point
0 ]- d) V% F9 c add ax, di) y h0 G2 I; B$ b6 Y: m
test ax,ax0 w2 }3 M/ e9 u3 M5 E, V
jnz SoftICE_Detected9 J m' X- u b! j$ L1 P. n
$ Y. W" D) `$ R4 n4 V, q& a7 e__________________________________________________________________________; i1 u$ F8 M4 c" }/ ^; s
$ | m( Z. k+ w0 D. Y5 k; K: R
0 P1 h" q2 X6 O& F0 ]5 A; P1 QMethod 05
! O9 {9 T/ ~* ]4 l; M- o9 ^! E8 j* V=========0 j9 i" h9 v0 @- |, Q. f; G& |
) q6 ~. y% I1 k8 @1 LMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 z U! [5 |! a! U' L
debugger. It calls the int 41h, function 4Fh.
! q2 v4 s/ I. [, pThere are several alternatives.
$ ~' S# P8 t2 d
* J4 V, O! A7 }' I# U* jThe following one is the simplest:
* I. F5 n& j n. L5 f, U7 r8 ]% T' |
mov ax,4fh' {5 J6 w6 ~+ q3 c) P1 \4 v
int 41h o0 E- }/ { q/ \
cmp ax, 0F386
/ d& q! X" c( M8 j" P jz SoftICE_detected& F+ q3 e( u) O) ~! J7 Q& R
1 P$ o! j1 @; K0 L. D$ ], U3 Y5 R: F( q! O
Next method as well as the following one are 2 examples from Stone's 3 T; e1 _3 g* K9 d2 t1 s* j
"stn-wid.zip" (www.cracking.net):( u* F/ M0 y5 O! a+ V! W
* t, p! ]6 ?! O' Q mov bx, cs8 i) D8 i* L: V5 K' c" N7 }' z
lea dx, int41handler2- x9 J; g! W; Y, \6 z! Z
xchg dx, es:[41h*4]
% @- t) u a' Y2 Y1 A xchg bx, es:[41h*4+2]
) U( q" y V' H) } X mov ax,4fh
: A( k4 j+ m8 }$ W7 m" M/ W int 41h
5 `% w% [- k# _$ s xchg dx, es:[41h*4]
8 f2 G, S& {" Q+ I, z6 O# u/ ^ xchg bx, es:[41h*4+2]! ~7 p6 Q) `9 \- O
cmp ax, 0f386h
, g! a$ R, a& s. j9 ]1 m jz SoftICE_detected
7 y9 {6 y1 _4 g; \
4 w. @" y' p( ? m% F. xint41handler2 PROC3 T4 V5 G- ^) J# l* d
iret. U5 t, e2 Z; m5 z
int41handler2 ENDP
8 ~4 u/ T) f7 }& K! g* l* B7 A# ]7 q" _8 D
2 [! \0 Q7 B9 q/ _0 W ^7 x4 J_________________________________________________________________________
5 U. F0 O, R) N- }4 p7 B( t0 R. _+ Y* W& b+ O# _
( \" G v: M! ~2 H. p$ g" FMethod 06! T/ o4 L- x3 T3 `) S7 s
=========
0 z) H: w) s7 ^' Q3 {2 g# d6 t1 a) R. t6 k
) ?- D' W. L3 e: d' j$ y& p2nd method similar to the preceding one but more difficult to detect:$ y2 h/ I. T9 D4 R! d
: c0 `; ~4 `1 T" x g
A- I8 F+ `3 c+ H& ?
int41handler PROC$ f/ [5 p* Q5 j. n% e
mov cl,al' `: r( u8 [% w0 c
iret
9 P5 X- T2 |8 N1 w3 d, p+ h' ~int41handler ENDP# Z7 j- u; B) P }' K N8 Z" z* g2 C
6 w+ k$ G4 N# G7 z) @3 G' h) W q' i" S$ Y5 v
xor ax,ax
0 z/ y, ^# d' ^1 L" N. Y6 W mov es,ax1 k9 ^! Z" m. o" }7 X5 {2 e
mov bx, cs, o' ]5 K R( N1 W& N' j1 a
lea dx, int41handler
* D' s ?. F9 k) { M& H& M xchg dx, es:[41h*4]
1 F3 L) I3 F" v+ A; P1 j$ n m xchg bx, es:[41h*4+2]- G3 _% c' m) _1 ]. e& k4 s7 t. g
in al, 40h% @8 Y1 N$ m" T1 g
xor cx,cx
+ w/ |4 ?+ n# J2 r int 41h
1 @' o* W7 \- g5 l. N- i xchg dx, es:[41h*4]$ x) f- T( j! W, ?
xchg bx, es:[41h*4+2]* ]1 ^; d M/ E, O' N/ G
cmp cl,al
% x4 G* {, Q4 f& D5 V jnz SoftICE_detected# V4 _ i6 z2 a7 [8 L8 u7 `. m
$ I% d* |! H9 w" d5 G( j, K( e+ F_________________________________________________________________________
/ y( r/ T- {* H" E. `
# e; V% B8 S# O6 Q& pMethod 07
6 F# U X5 L1 D, O: C1 U8 o7 c=========
0 x2 O* a& I! ?! s
2 o3 Y1 E! m6 YMethod of detection of the WinICE handler in the int68h (V86) ^- o/ X9 M. L# J1 m; Y
& T- E; p( H" D& Z4 K
mov ah,43h+ @, e) r( [+ `& _# l
int 68h
7 e# q# G' m8 r! n cmp ax,0F386h
/ |3 p+ q' C# z* F jz SoftICE_Detected( [6 D7 e1 b0 _: B4 j C
9 ~/ K* x: X0 G# `
' ?7 p% H; H; I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ d% q7 ^3 z1 P- G app like this: L1 x; H9 O' h8 v1 L
0 Z, m* V, \% `- d9 j; U2 S9 g8 U( [ BPX exec_int if ax==68
_0 Q) e4 e, i (function called is located at byte ptr [ebp+1Dh] and client eip is. v2 G; C6 u5 C' L
located at [ebp+48h] for 32Bit apps)7 W# P7 T! V; @
__________________________________________________________________________
8 m1 y; \" d N, n& L* [& H
6 E) J2 W# t. A/ @7 e7 _3 I, ^- R2 {- _% }" [* z# V9 {9 C
Method 08 Q4 l) Q) I0 P# O( B# z
=========! c: f6 N3 {! g5 E. P3 Q
. M0 e8 Y5 m+ X; R" q: g: u7 cIt is not a method of detection of SoftICE but a possibility to crash the
6 i3 ]8 g; O0 Gsystem by intercepting int 01h and int 03h and redirecting them to another
) c7 k u. [4 k+ m$ c3 @routine.
e( c6 ]& t/ X) R: KIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) s: C0 m6 ~# B, d+ ato the new routine to execute (hangs computer...)/ @* O) c9 u* ?, s3 a4 ^% a
7 K: W) E. ^9 W* e& N1 } ?7 g2 l mov ah, 25h
3 k( A. u* F* @2 K# R! Z mov al, Int_Number (01h or 03h)
# |9 O" v1 u- g/ [) {2 v) `: V mov dx, offset New_Int_Routine, |% X) `+ e: f6 \
int 21h
1 W7 i% N3 d! q& P" W% |1 M- e, d9 W0 N1 N- j
__________________________________________________________________________
) M/ L9 w8 G$ }( C) V8 A Z
$ n, W* `2 ^) f6 XMethod 098 i- j+ O1 f+ R4 |$ c: l4 n5 ?: x
=========
# G6 n: ~( s d l% R" i8 c: Z8 ]( z: R, |6 r4 z7 I. a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( R0 X. t" { i' |/ V1 u( p: {performed in ring0 (VxD or a ring3 app using the VxdCall).
7 y, Q5 J% S8 uThe Get_DDB service is used to determine whether or not a VxD is installed
6 S5 k* W9 Y& |5 O- a; O! X6 ?: A% t: kfor the specified device and returns a Device Description Block (in ecx) for$ M; H3 | l, Y v& L1 X) `7 @8 e
that device if it is installed.0 B& g( M% O& g8 e. \
3 }: d- I4 I7 X) u5 M+ a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' ]- U; U M) A
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- h3 E5 D- V7 Z VMMCall Get_DDB/ s. H* q- n" p$ S9 x/ }& g' ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) {- v* E+ u+ j3 z4 z2 {2 G, Q
3 T4 b/ w9 B- r. M, ?8 g% S* x+ ]+ ANote as well that you can easily detect this method with SoftICE:
) J4 E8 m# G$ }, L# Z- C$ M bpx Get_DDB if ax==0202 || ax==7a5fh
% w2 G8 O; x7 [+ e% S" y( n$ `0 ?8 W/ t
__________________________________________________________________________: S! l2 G+ p$ x2 R, j. p
- ~) `. J8 H Z b8 t$ B. j: HMethod 10
3 V- R2 o. N6 B; ?=========
- a& S9 u: j7 @5 h# X5 a$ p1 \. v6 n$ G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
( E* [3 ?# J1 Q* H: T$ A SoftICE while the option is enable!!
* P+ E4 Q: d, _7 K3 Q
# [5 I/ m6 G4 X/ y% ]This trick is very efficient:
- I& q# r* ~, y9 }by checking the Debug Registers, you can detect if SoftICE is loaded/ L! m4 S2 x- e1 p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% l! `" Y, j6 O4 m- c0 ^- ?there are some memory breakpoints set (dr0 to dr3) simply by reading their. {7 C& T4 u1 [' O f
value (in ring0 only). Values can be manipulated and or changed as well
$ b7 p3 G8 d# q+ p- V% J4 _(clearing BPMs for instance)
1 _7 s! n6 R* w/ p+ K! v. y Z' B9 @* m; o! v' t5 _
__________________________________________________________________________
1 k) p( J2 p$ `! p9 B/ y5 o2 I2 E6 y1 B& w5 d4 D
Method 11
+ }5 J8 e; ]" B) c) B7 Y=========
; w0 L' _; P8 P
7 B, B5 T9 E0 a* A/ O) {This method is most known as 'MeltICE' because it has been freely distributed
1 P7 T# t! p4 b' C8 ? z, ]via www.winfiles.com. However it was first used by NuMega people to allow/ E% c' p; d3 m, n4 y4 B
Symbol Loader to check if SoftICE was active or not (the code is located
: _0 t. g; p" X# V2 Ninside nmtrans.dll)." V# Q2 M) |0 D8 a
8 n! ]8 `) U. R0 c1 ]9 C
The way it works is very simple:7 I1 b1 Z0 @1 r L& Q3 d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 w) Q" \, E. s; _7 g, i8 X
WinNT) with the CreateFileA API.
m0 E4 l- r8 Q4 U' b4 v3 U9 h
3 m0 H; A: \; Z4 i4 `% ?" RHere is a sample (checking for 'SICE'):! z# v: x3 M5 j' z0 v
: V7 E4 s/ P: {
BOOL IsSoftIce95Loaded()
6 r# g$ }3 m. \$ ]{( k+ {9 ^% U6 {" t
HANDLE hFile;
0 q1 l8 `2 t1 Q) }' ~0 Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" q; m( V) _0 ]7 c6 [ FILE_SHARE_READ | FILE_SHARE_WRITE,
% k$ S: M7 ^# z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 r# O$ k0 a; ~
if( hFile != INVALID_HANDLE_VALUE )
# G. _' f$ L3 A' H9 k {
/ G" p; C! i/ \7 O CloseHandle(hFile);
2 P9 q; n" A: G. }% P return TRUE;: ?8 V# G7 I) l. B& J
}
, \4 j2 j/ j; N% {' J1 D. a return FALSE;8 z0 p5 n4 a* Q$ S, r3 v5 ?
}( N) |# X4 O" J9 t, O! A
* f# ~ z$ U3 \5 M$ k) E& O: cAlthough this trick calls the CreateFileA function, don't even expect to be
4 |) ^/ V- `" r8 w. u1 Wable to intercept it by installing a IFS hook: it will not work, no way!
* I; i/ Q6 K) ^, z9 z* ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- G& c; P* [0 B$ W" }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% p0 p3 T: i7 P5 e/ X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 R4 w: N( x, h4 E
field.7 R# n: `$ Y3 P
In fact, its purpose is not to load/unload VxDs but only to send a ) y6 L2 K t' c+ `- F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 ^4 Q8 ^5 K8 Y' J8 oto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ `- @- T" A7 Y e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
m3 P: u2 r0 L4 b- E: g& t. HIf the VxD is loaded, it will always clear eax and the Carry flag to allow# y2 H0 e7 e% C' P
its handle to be opened and then, will be detected.
" u+ Y3 ~* c, r$ @. GYou can check that simply by hooking Winice.exe control proc entry point8 |4 P3 c! `0 L7 Z- Y9 ?( i
while running MeltICE.1 r; `% ~/ Y' A. z: v/ k- K
# u# p. H0 U* @+ r a) K
' x6 |9 J+ H3 |0 T) j' o/ q. s 00401067: push 00402025 ; \\.\SICE
, ?* y9 u* p# n8 I( x 0040106C: call CreateFileA6 p6 f# s. G! m x; z7 M& G
00401071: cmp eax,-0018 f: [! z' N. v
00401074: je 00401091 ~/ t' n& d8 }9 b( Y/ B
- W: e" b% ^" Z+ a2 _
. _7 q+ f) b$ R/ S2 ]9 \& uThere could be hundreds of BPX you could use to detect this trick.
2 G- h" }3 C5 A8 t9 a9 |-The most classical one is:
1 H" @/ R: m! z+ S6 o3 ^* P$ d BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 u7 C; [" Z5 C- Q% [7 \2 F
*(esp->4+4)=='NTIC'
: X4 Y1 `2 y7 F/ e+ R
, b8 _( P. ]) }7 F! U-The most exotic ones (could be very slooooow :-(. o% X; p) e9 f8 H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& X7 h: l/ H! |$ \- x6 o ;will break 3 times :-() J4 T$ W W0 \# B
) l9 m2 X5 z2 R* {1 x8 S5 J-or (a bit) faster:
2 P) c8 H; G, x" |- i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( M4 Y! O! v# t# V
( Q! Q) V! a# s$ @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 p& g# {3 v. \$ V% x( Z$ u ;will break 3 times :-(9 D, K3 |' E8 l9 V5 n3 }) c1 c
3 _# a) R& C" f! Y/ g1 M. j-Much faster:, T9 b! e$ I) O1 e" l- g7 P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& k# W4 {9 r$ g; \ d! i
1 f5 b0 T8 Z. h( t( [1 Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: \4 ?, E: c: c' W
function to do the same job:
9 t) n1 a$ e1 x3 C/ m0 _1 l& F; L. P5 Q, `/ n
push 00 ; OF_READ
: F% M4 R/ G& j mov eax,[00656634] ; '\\.\SICE',0
2 a$ ?: d0 A8 M0 M push eax+ \6 p+ d- F1 X4 d* \5 u
call KERNEL32!_lopen, ^1 V7 c5 E* s. V: [$ {
inc eax
- X$ O5 D }- V jnz 00650589 ; detected
% `5 O0 [) V6 k6 L1 r0 \* K ^ push 00 ; OF_READ
9 V! F8 J& H5 R6 l5 b mov eax,[00656638] ; '\\.\SICE'
1 o+ c* M9 D/ `% `' K* u3 g push eax8 S" j4 V9 r6 k7 |1 `) \9 T
call KERNEL32!_lopen
8 b }8 s2 n. r inc eax* D3 P9 [2 `5 v
jz 006505ae ; not detected
T' G5 C( J- m/ I7 {0 t4 d7 L* g( z$ p1 o0 p
/ U* W6 M- K7 u: I5 e& M5 e
__________________________________________________________________________" l' v$ H1 b* T2 j
, ~3 X9 R/ {- tMethod 12+ \5 C) e4 M% D! I
=========0 \) `2 f* S1 A, p2 C7 P v
. C n* E( q& _1 j
This trick is similar to int41h/4fh Debugger installation check (code 05
) q8 l" z$ h+ b( \9 \& 06) but very limited because it's only available for Win95/98 (not NT)* h1 C3 @8 B. l. I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 i3 R8 z, }3 j: k/ K9 D5 i
g9 m- q. S. }5 \( r0 w% f push 0000004fh ; function 4fh# s& N7 T6 L9 ~. I: H' a- t
push 002a002ah ; high word specifies which VxD (VWIN32) s9 b( A- u0 Y; i
; low word specifies which service7 V5 {3 P) f* N* h" T
(VWIN32_Int41Dispatch)
7 x: \) F% G* U) M call Kernel32!ORD_001 ; VxdCall
$ }8 }1 _9 _$ ?# r( t cmp ax, 0f386h ; magic number returned by system debuggers* n0 o$ Q: B$ J( T0 }
jz SoftICE_detected8 I/ V1 m, D$ \0 I6 J+ g6 C$ V
[5 x0 C, @3 H: E* {) aHere again, several ways to detect it:$ \" P0 Z( f5 m/ L* d
1 T( v/ X2 D; @+ d4 y" R. o* a
BPINT 41 if ax==4f
% w; T& P0 Y, w; h* X c4 {4 O1 P3 e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ C4 d2 r$ D) U# N; m1 H7 |5 Z% p: P# u4 ^. _9 C) @; r
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 @$ i0 k9 i, R
" D' a# Z! v+ O: K- d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' p& \; m% x* a8 ~0 d! T- r
1 H0 J- k6 f( h8 @2 z! n/ \. C, c__________________________________________________________________________
: P Y2 [! j4 e3 n. P
6 t# U& D, E; ?8 H2 S8 y" T0 o/ BMethod 131 G" N" c. s) B
=========
3 T- V/ N b0 V% a& ?& }. Q3 g1 Z2 U# B
Not a real method of detection, but a good way to know if SoftICE is
7 x6 ]7 Z: q% C4 einstalled on a computer and to locate its installation directory.
_. M" z" k! A! g- r! ^ \% jIt is used by few softs which access the following registry keys (usually #2) :
% v& s0 M: W: v- K9 M. L( r0 S7 B# R+ S" U3 @ f1 n. N/ l* ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) H1 u9 h. A- l3 A$ J9 s7 p\Uninstall\SoftICE
Q' h' Z) C! X/ b4 z5 i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 d4 R! Q0 v* t! ?0 G
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 E/ D2 s: g3 x' K6 T2 g; ~4 j
\App Paths\Loader32.Exe, X' n* H$ d* ` Q
" i1 H: [) x1 }; [8 p
" \6 l/ ]7 @& y- U+ WNote that some nasty apps could then erase all files from SoftICE directory) b' e6 R2 h; |- ?! ?( {
(I faced that once :-(
( V: a0 t& c! {. `+ g! d$ E$ A+ x& z/ V# t1 N) [
Useful breakpoint to detect it:/ O* B. K) B& |. y
" H- F: H/ D7 u# M% N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# H' {' j6 Y) W
" `6 X( S: L* ?& Z$ K! n__________________________________________________________________________
4 E" m* E: |" S1 V' G7 N0 L5 q) p8 ~+ v7 b4 ?
9 G" e# z: Z; Z% N4 s5 R
Method 14 + p6 t$ U' y' j. a; o
=========
/ ^1 P; ], K" W* E9 K( w4 I5 @. E( b6 j# ~8 f/ H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ W* C7 F( d5 _! B, x
is to determines whether a debugger is running on your system (ring0 only).+ l" u) Y, N& z! ^, X: f
: X8 C/ ^* b/ _8 e" n VMMCall Test_Debug_Installed
" c4 U" r7 U& e: \4 O3 i je not_installed! b* s! g7 b% [9 e
* R0 M, J. u& M$ i0 V2 ?" EThis service just checks a flag.
3 b( N" o9 Y P$ g" c, B' |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡