<TABLE width=500>
9 @. W# a0 t* g1 Y4 v<TBODY>
7 g' J0 D( L4 }( Y$ v<TR>
% Q7 T* R6 N. _$ T' g) X' S- Z<TD><PRE>Method 01
) u) a4 O% V) B; b=========
, k3 I! {; k7 T! F1 b' m I% B5 T2 z7 z& s& @* Q. o+ l- {9 h1 c
This method of detection of SoftICE (as well as the following one) is) e/ v/ B* J9 n7 l2 i1 _+ ~) d
used by the majority of packers/encryptors found on Internet.
5 X- @1 T. G7 [: s" x" {It seeks the signature of BoundsChecker in SoftICE
& ~6 S& X0 W3 u% H, u) R- o* R' D) n3 ~* z& M
mov ebp, 04243484Bh ; 'BCHK'/ R/ W1 r! X0 m8 G
mov ax, 04h1 P) p/ t4 \* c; L1 c
int 3
% \& k: F4 {/ T/ w cmp al,4
9 N0 `1 u# K. c7 q I/ Y; ~* \ jnz SoftICE_Detected$ u5 K% e5 T1 D
- B$ \3 v0 i) v4 S a4 V
___________________________________________________________________________
# S5 V4 c$ u# y- n/ C4 V) h" K9 R9 w3 E2 y% O
Method 02
' A3 |% E! @/ q$ C1 |$ N/ z=========
3 [/ }' [1 c! _# V E& z5 W
8 n' X4 H$ d b" DStill a method very much used (perhaps the most frequent one). It is used1 K& j+ P" x5 \, G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 m4 I9 U1 g. E5 W& \! B0 h$ a
or execute SoftICE commands...) ~/ ` N) \ _7 H" a6 P
It is also used to crash SoftICE and to force it to execute any commands
* @( y( }. c) z- E8 Y& D(HBOOT...) :-(( ) {+ Y8 f) ~. D* m# p
9 M; j# ?* R8 C6 nHere is a quick description:
4 k. L; D2 h' ?. @/ x8 e-AX = 0910h (Display string in SIce windows)
$ T( |% N0 N1 k( w4 i X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 x2 |/ g; N1 U8 z" i9 j r9 s" V-AX = 0912h (Get breakpoint infos)
1 f# O4 K4 \+ A-AX = 0913h (Set Sice breakpoints). c, W5 F; |8 w. _9 a% Y! J
-AX = 0914h (Remove SIce breakoints)! z; u, x! Y/ I$ m- {2 u
, J. O p4 [/ d4 a& f- \2 G
Each time you'll meet this trick, you'll see:
1 p F0 A# i$ g0 [# f-SI = 4647h( S8 U% G: ^3 @3 c1 U2 Q; Q* p
-DI = 4A4Dh* R* v0 w( T2 g
Which are the 'magic values' used by SoftIce.- a6 Q; ~ ^2 v1 l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 [1 {1 h3 U* Y2 M+ L4 z8 Y/ n
1 r, ~& g( a2 ^$ z. {7 QHere is one example from the file "Haspinst.exe" which is the dongle HASP$ L. J% F3 s+ g$ n% D: }
Envelope utility use to protect DOS applications:
: s: D) h3 u! j3 ]1 l* F, N
6 i3 d2 ]( u4 U8 ^; p7 r' Z+ |3 }0 E2 I$ C( \, l
4C19:0095 MOV AX,0911 ; execute command." k; J# J+ P6 w' S7 f7 }$ W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 I- Q) r) i* w7 e4C19:009A MOV SI,4647 ; 1st magic value.
& o! L- L2 [/ A1 }" y N4C19:009D MOV DI,4A4D ; 2nd magic value.' h) c1 I) F) C. L* L9 a
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 ^# k5 d, d1 S+ N, z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& `# Q% p6 r o
4C19:00A4 INC CX8 m/ y' `1 ^' K- ^+ A% v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) |. p+ x7 u' z$ b
4C19:00A8 JB 0095 ; 6 different commands.; H) h' W4 i- G( X- @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ U7 d8 ^- o" w3 t7 Y) }9 V
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); B8 a! a7 H0 D' e+ n
( s! R' C: [0 V7 I$ o& DThe program will execute 6 different SIce commands located at ds:dx, which$ N) l5 G/ L& E. q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. S& Y0 J5 }" K& N ^! e
0 O! G! @% u2 `: D3 w) K/ k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ F! U6 V% Q) Y. d& Q3 S% V' m___________________________________________________________________________
% h# V! T: Y4 f( C9 d! m2 h/ K' {. `7 u k
% v' d( Z' D! L) I7 G, r
Method 03; p3 a ^* f) C) [) ^/ v' w c6 L
=========
, a. O7 t4 a& d* Z
5 k0 g7 @2 k' dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( j+ T5 \: X) ~) ]: N(API Get entry point)7 R( I# d2 c) v' j. ] F4 h
1 [# }7 M/ E, k- ?; ]! N. U# Q" Y
: ]3 N* A5 ~- X" C+ I8 D5 Y xor di,di
7 v2 x! C6 t" `5 t/ m mov es,di
3 X7 `: E& G; L mov ax, 1684h - I U- A8 N( S" ?
mov bx, 0202h ; VxD ID of winice
1 {4 f6 C1 }. c0 \2 j+ B3 g% B int 2Fh
5 t w- `. G; p1 K9 ` mov ax, es ; ES:DI -> VxD API entry point: y) t S, Y' E3 o* p2 f2 d$ a3 U
add ax, di
" s" {5 U: s& z5 ] test ax,ax2 _1 y2 D' Q: g3 Y O
jnz SoftICE_Detected; ]3 I1 V6 N) A: ^, K+ Q3 Q
& [1 X# m6 @* t( Z
___________________________________________________________________________6 c. i( H5 E' M2 X+ t z& Y* a8 A8 G! ~8 ?
: g% M6 {* W! }& F) vMethod 04
5 J# H" x/ Z0 X# B2 u) G=========
* J. t9 Y# A, r( ^9 r9 ~# u
7 _8 a+ Q0 q5 Z7 R' K0 FMethod identical to the preceding one except that it seeks the ID of SoftICE
/ v+ q q0 L$ a: I* a( \GFX VxD.( q3 b% S2 w) @
# q) e0 D6 W' I0 h0 b xor di,di
* O! V+ q& ]& B4 w mov es,di
& N' P* K6 M- w' }: t- W mov ax, 1684h : Q3 e4 S* w" M9 Y1 N+ f2 \
mov bx, 7a5Fh ; VxD ID of SIWVID; G6 y* W6 U: W' |* K9 n7 w6 y5 _4 |7 K
int 2fh
: `# y2 n- W% K7 e9 \8 T mov ax, es ; ES:DI -> VxD API entry point7 k6 s6 k& }3 H$ p& A9 M
add ax, di
! y L r! x+ g- y8 _7 v# y4 Z test ax,ax1 ]5 g. ~ }; t8 j2 b4 Z
jnz SoftICE_Detected9 r( V! D- I3 |. q& c
3 k/ Q6 g4 k% M+ |( C. y__________________________________________________________________________
+ D. w+ e6 e3 Y+ {% k2 m6 m; v2 v* |, H: M. K" V
) ?3 `, ^' }5 H: Q5 ]! v
Method 05 {3 m2 ?3 |- B$ k- h
=========
/ z7 F) C) m4 J, U- B
9 G1 M W, K1 WMethod seeking the 'magic number' 0F386h returned (in ax) by all system
L O0 F- [' {8 ]debugger. It calls the int 41h, function 4Fh.2 U7 H! Z9 k0 Q4 C9 P
There are several alternatives.
; Y6 ], l! M8 |. c
+ w, c& p* \" n( G9 D% ~" d$ ^The following one is the simplest:
- f: `- ] y- s6 c. ^, V
8 n. E( T3 g. @, L5 x7 h! l% ^ mov ax,4fh& _! P! Z9 p4 N# U) U) x6 g! B
int 41h
& {- H; J0 H4 J3 L4 Y: R9 a cmp ax, 0F3864 @# {4 K v+ H1 S$ I
jz SoftICE_detected% E; @6 E& P7 h# R
2 L9 B, l. m! h9 }$ d7 v0 n( s; X
7 y! K6 B; h5 H8 LNext method as well as the following one are 2 examples from Stone's
5 K; |) x1 L- h1 z"stn-wid.zip" (www.cracking.net):# }" R' n- d" v' v8 Q4 {) F
! q3 {- c1 Y5 i
mov bx, cs
1 q. j+ f$ }8 w, u* K9 V lea dx, int41handler2
+ L0 |% ~- t% N( }. f2 N/ x xchg dx, es:[41h*4]& s* P0 D0 C& l3 Q. a5 \8 x( d2 h
xchg bx, es:[41h*4+2]
) y3 o& D Y/ [# K: e7 l mov ax,4fh; o; B! U& W. F% G
int 41h* L0 Y- l+ p. ?0 g& S
xchg dx, es:[41h*4]
( Z& \3 Z, }1 X( ] xchg bx, es:[41h*4+2]
, x# _5 I0 {& y3 ^) _% g( D( v# O cmp ax, 0f386h
, W4 f$ i) P! g* P* I! z a% ^ jz SoftICE_detected1 c e, F2 U1 G8 T) S# S' x/ y
: r! G @3 r- q) G6 y+ y
int41handler2 PROC, u5 W) M5 z. s7 U
iret2 r$ C, C* f6 l& u
int41handler2 ENDP9 v' }5 V1 H- B3 {' Y
1 d/ O$ W6 H9 X: f- P$ Q1 `) Z$ F
' v4 ]( f3 `# e# [% k' Q
_________________________________________________________________________* T2 L% a9 `+ P6 s- b
1 C, d) P0 z. B* g
4 {2 O4 Q; L5 t3 }* i& e) z- E/ w
Method 06
5 p5 J& o% X" P* v=========
, b. m7 d! X. a% g1 O7 J* {6 L' A
K" t8 J$ T) R6 v' [6 R3 y! H. Y( W
2nd method similar to the preceding one but more difficult to detect:8 W3 i& X9 }9 t( o! ~ I% `
; y7 ]/ J: j% a, N: U
# P5 y" V1 i) O1 `
int41handler PROC8 p) O4 \0 N# T$ Y
mov cl,al
7 S9 h" o; g# H1 Z7 u3 }8 _7 @. b iret$ g/ ?; ~# o! X; z- e% f3 }2 R( D
int41handler ENDP: j2 v" C/ U V6 N* J- S
1 I- N# k7 Y& ?, K3 n- j' ]& [' \
xor ax,ax+ @. p6 e+ i5 I8 Z, |7 r
mov es,ax
- }% ^' f* ~/ Z4 i mov bx, cs( k' b4 e4 V; d# j( {
lea dx, int41handler$ }4 X& v0 u* t0 g" U8 B
xchg dx, es:[41h*4]" C5 u1 f% n0 n: l; r& U+ e' C
xchg bx, es:[41h*4+2]0 _1 @8 y; F% i& W" G" d* z8 \4 w
in al, 40h: y" X% r/ ]8 w% J1 \
xor cx,cx2 u) f5 s+ a( z
int 41h
5 C/ H2 C( ~% X* h7 t' l) m xchg dx, es:[41h*4]
8 n, o2 n f6 E6 n: Y4 I! Q! k( D& o9 N xchg bx, es:[41h*4+2]- Y; w/ @4 g' F; k
cmp cl,al. X# R; L, k% Q: ^! K: g# s
jnz SoftICE_detected
4 V4 I% L$ K4 F
4 |+ d; z) e4 L4 f" j_________________________________________________________________________* s, c7 j- `4 ?5 ]
5 ^; P' }' u/ JMethod 07
! _6 C3 L/ S' Q2 s( C=========
8 k) `' m9 k l! {5 V0 P7 [; d; B; T3 @: [
Method of detection of the WinICE handler in the int68h (V86)
) j/ F: H" K7 P# \5 Z* a" K) w+ j( a+ T
mov ah,43h1 l# h+ B9 k! L% q/ L
int 68h
- {' `( u; E: @4 C cmp ax,0F386h
9 Z {: u4 Z$ w6 l; u" e jz SoftICE_Detected/ C4 v* \$ U* T+ G4 t8 G
& f3 {+ O$ |7 B1 }! x8 Z+ n
/ x0 u# a8 W, g, t8 B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ O# Y, R5 K0 ], x' b% t app like this:
8 v7 [ U! t3 f, a* a9 d8 t2 j
' s6 ^* x* w2 q1 A3 L( E BPX exec_int if ax==68
- M; j2 p- l. S7 H6 y8 R (function called is located at byte ptr [ebp+1Dh] and client eip is
; i2 m' s/ `6 a8 r/ B% N located at [ebp+48h] for 32Bit apps)
, k' @- I% c b0 ? k1 ?__________________________________________________________________________
( _8 K9 ^% I# q+ [& l0 n4 [; z1 f3 E" T
5 z6 ]4 L* ]& @2 O2 ^Method 08( s z& U! ] Y4 y2 d, _! M* ~
=========) y! e8 M+ J6 T! c
0 r: e7 a$ e8 N/ }1 kIt is not a method of detection of SoftICE but a possibility to crash the7 e8 S' ?9 N0 t2 O6 ~. V
system by intercepting int 01h and int 03h and redirecting them to another
( v0 m8 Q9 T1 E/ [( r$ ^# Droutine.1 H& O$ I. ~* c$ h. x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 ~, n& t0 D4 y5 k" O, ato the new routine to execute (hangs computer...)
; [, w+ J* |. H2 k* E; J$ O; A P0 {" g2 c9 {* V) P% Y
mov ah, 25h
. |5 I9 }+ F7 G% F& q% |$ x2 c mov al, Int_Number (01h or 03h)
& n4 f% F) d; x- Y1 y( H( x mov dx, offset New_Int_Routine: i' y3 x: z u, H4 F! v! d3 l
int 21h
: Z* \0 @# j! i+ N1 {) x
; U% y! t& c4 A, P! L4 d) E2 t__________________________________________________________________________
! L$ h E4 N( C% m# n4 ]; w
2 h+ s& |8 u4 U+ V+ x- w/ }Method 09
+ a. ]( g$ T. R! c) ^1 T! k=========( z; ?# j7 S1 g" E d5 `
! s, N' {; t2 p# S U2 O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) ^' N9 F/ Y' o- D) {- A' v- uperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 K* |& ~3 Q5 _2 D( |/ B, c& V& SThe Get_DDB service is used to determine whether or not a VxD is installed
6 T, ]5 a0 q6 Efor the specified device and returns a Device Description Block (in ecx) for
1 O# X0 L* h* y- P E7 D" P( Zthat device if it is installed.
3 Q2 {0 f+ m5 N8 J5 l7 c7 _: w# S9 Y5 o' r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 G9 y4 H; L* `4 k& l% U& m" u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). r+ f" n, v; Z! A
VMMCall Get_DDB
8 {( F; A* h0 V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* j9 f# C/ Z9 p, ^1 O% j2 t0 T# L3 Z$ l i
Note as well that you can easily detect this method with SoftICE:% e! f6 {$ Y) l) H0 F" j/ z
bpx Get_DDB if ax==0202 || ax==7a5fh
1 y+ m2 P2 z/ q! h
9 h) M. {, ~9 w' I$ |2 P' P+ s. }__________________________________________________________________________
& T9 `; L' G% d) ^% m& C
) m* W5 e8 }. N8 o$ M; P) ?Method 10
6 t6 P1 n7 `7 Y* C9 b' ]" h5 V=========
. M, A6 l9 H6 f$ J$ W/ h) T8 m. w9 I* M2 ~5 a
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ b# _* u( V; z) \& ^ SoftICE while the option is enable!!
. |2 u$ R3 W2 y7 B( _$ m2 T
7 b0 y, S# z4 q3 n6 dThis trick is very efficient:( U7 |; d5 [" d' z& ?
by checking the Debug Registers, you can detect if SoftICE is loaded
) _2 A2 M. S, R7 u$ `8 |, }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ }% ~' {6 k5 s* x+ V
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, z# z: N4 }) B6 Rvalue (in ring0 only). Values can be manipulated and or changed as well
! a0 L( @( P6 }+ f" M2 V(clearing BPMs for instance)
( D0 h+ S# j$ N: `9 O& R, s0 r g( ?( ]9 G n) F
__________________________________________________________________________6 |3 ?$ N; j3 J
) c0 p6 a) ~0 f4 F
Method 114 W; y/ P% k; J% m
=========4 a9 D' {, K) |7 W3 c
7 P9 p! X( w6 F B/ o/ p$ j$ n5 a0 kThis method is most known as 'MeltICE' because it has been freely distributed( Y% i0 D6 R( @# i. \
via www.winfiles.com. However it was first used by NuMega people to allow
; r! W1 g) M' n7 m) sSymbol Loader to check if SoftICE was active or not (the code is located
1 ~+ y' C0 z: Q) U+ _ {inside nmtrans.dll).. E4 A& m3 ?7 X- X3 _% C& B6 q
6 d- T, i$ M! X( U
The way it works is very simple:
: Z) S9 t/ g; G+ BIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) \% V# i/ D$ @' u" ?WinNT) with the CreateFileA API.
: q, m# i; d* m1 h7 e
8 T; }7 o: T; ?) E" n3 \Here is a sample (checking for 'SICE'):
/ L$ y8 ~# f. V' \2 S: E% @8 k* J2 G! ]$ n0 E. P' B6 }
BOOL IsSoftIce95Loaded()
" I9 ]7 I' W2 s9 ]# t{4 @1 s% t. G% t1 B4 a: S) i, z
HANDLE hFile;
: z4 s; t8 y* }7 _3 T$ P7 j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. F+ O; T) g7 o a3 \- ~ FILE_SHARE_READ | FILE_SHARE_WRITE,
0 H A" x% b9 Z: V8 |" M9 I e+ D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, N. r' p& a0 i
if( hFile != INVALID_HANDLE_VALUE )
1 D o& D4 z% I4 t( u/ Y7 d |" Z {' X5 G6 M3 U9 Q/ Q; C( z: S5 z
CloseHandle(hFile);
- s6 j5 M3 g# C7 t2 G return TRUE;* B, J% e5 h) E
}& F' ^4 w2 F& j' _! j4 P3 A
return FALSE;4 q" L/ ~+ {( j$ {6 V- _$ u
}
& Q- H: \6 B$ c+ v# L j' x: M. ?
Although this trick calls the CreateFileA function, don't even expect to be
4 U7 i- C% ^: ]- h$ kable to intercept it by installing a IFS hook: it will not work, no way!. V6 x h+ \% `# i: O! ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: N( I- _8 c1 P" e$ u" Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ e; U4 t8 A3 K( Z1 T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; @" _- M6 n; `% ofield.
/ U! K9 q" P# @& o/ mIn fact, its purpose is not to load/unload VxDs but only to send a
6 }2 [6 |% Q$ |) pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 l& e# I. f8 w$ i* d
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. l% t' c3 [$ I, u: f0 P& l
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., K' @1 b3 Z6 r+ M7 s
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 V) p+ j; L3 O- ?6 eits handle to be opened and then, will be detected.* C' Y+ Q& e4 t- C& p% _
You can check that simply by hooking Winice.exe control proc entry point* R8 Z2 {9 i& j% G2 [" V
while running MeltICE.
6 n- @6 _ q4 F* R' ]& \2 Q/ s$ X! k/ P. ]* ?8 n
# Z' A/ j) `+ `0 r
00401067: push 00402025 ; \\.\SICE0 E5 N7 H/ S _$ ?2 g* A4 v
0040106C: call CreateFileA
& j8 s1 m6 d* n& b3 B: l, ?; J9 n' ] 00401071: cmp eax,-001
: o' d' O; P/ K" |/ H% f 00401074: je 00401091
8 W+ t$ H* { U# Y+ o8 o. K" V) d6 B
" m) `) A3 S* Y( G: n2 s- q. `There could be hundreds of BPX you could use to detect this trick.
( O3 K2 X' q1 |; X& s# i: U-The most classical one is:8 Y7 v9 D6 Q7 v+ V7 R- F. O1 I4 R* V) [9 O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ C2 @, p3 o5 H- G *(esp->4+4)=='NTIC'' s2 v+ r& y6 Q+ I1 @* q. |
: J: e" x% Z. {, I0 s
-The most exotic ones (could be very slooooow :-(
( \; V. `" G% \; d9 N! F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 |, I( L' T0 ?8 Z ;will break 3 times :-(& n& E, k2 N& m) u
# s# C1 ~% m( m$ D! q* k
-or (a bit) faster: $ x$ t) x. a+ b- B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 H; y* C6 e; ?* I5 w4 k, Y
, v1 [6 R8 M1 J# i$ b9 k% v BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 h% G9 K1 K. o1 ]" C+ E3 N
;will break 3 times :-(; d( ]; D! s% A
* e* J8 G+ @: r; L) a-Much faster:
/ \# l% i# A# x; R+ ]7 G8 F% o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 }0 i$ F. ~" c- w0 J( ~
5 y2 \; u/ b2 \0 kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ z# O3 Z! a, E/ p' H
function to do the same job:, G5 _' c# [1 \ y- S
* ~* r, D$ o, t
push 00 ; OF_READ) y+ N3 t( X: n5 \6 c, @
mov eax,[00656634] ; '\\.\SICE',0
/ P1 u3 x! a! y2 D push eax: b/ U: q/ W2 r; k P
call KERNEL32!_lopen
0 i7 U2 e9 G; g& A inc eax3 V& t# R( O8 O) J0 e: a6 Z
jnz 00650589 ; detected4 J: T( h( ~/ |" q' K1 R' t7 z
push 00 ; OF_READ" l+ f+ b9 A, Z/ o" b" ?
mov eax,[00656638] ; '\\.\SICE', g0 z9 C1 M2 J) w- ^2 P6 P
push eax; _7 a# f3 w9 p/ Z
call KERNEL32!_lopen) i* v: X/ r$ `+ d- \
inc eax7 x0 o! f8 P/ E; H- @' s$ z- K
jz 006505ae ; not detected [4 p+ Z; i9 g& R
9 B; c, ]2 k2 G% h8 `+ _- ^
; F1 P" x) @& L__________________________________________________________________________3 t7 P* |/ K% s, M( \6 C0 p! d
% A! P0 w' w+ a$ yMethod 12
; W( `5 _! [- b3 @0 o3 N* m=========
7 z; _; D1 ?. N( h: b$ f6 p. Y7 h& g$ x& y$ z/ O0 q0 w
This trick is similar to int41h/4fh Debugger installation check (code 05* Q+ `0 M( `7 }* }& k. q2 g
& 06) but very limited because it's only available for Win95/98 (not NT)0 T5 }, Q$ b' u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., `! h) A s1 n& i, s) g
, W0 R- z$ x' p' L$ H9 j& l/ o2 n- G push 0000004fh ; function 4fh
3 A0 _* a, y( i/ o" ^2 r- f push 002a002ah ; high word specifies which VxD (VWIN32). Y) T7 a$ G. S4 n3 n, q3 s
; low word specifies which service, F* z9 @: Q, X' v% @
(VWIN32_Int41Dispatch). E Q" r* J! K8 g7 ?7 t: d
call Kernel32!ORD_001 ; VxdCall. d9 t! ]3 R" i* ]6 m+ A) S% c4 A
cmp ax, 0f386h ; magic number returned by system debuggers$ ], ?2 U7 m. K/ G/ ^8 r
jz SoftICE_detected4 U; _. m2 o Z+ ~
# [+ y/ l: w# D) T z
Here again, several ways to detect it:$ N! q1 i! i: T) Z. m
D! } s, r7 N1 t+ O BPINT 41 if ax==4f- M" R: P0 { I0 j* Q5 f, z) d
, G8 m! r3 E4 ?& l% F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; @. S4 T2 D& X6 n' `- Q
, D+ D2 R' n' c6 w' A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' G. d% I, x0 ~& m0 }8 J; V. a5 t* | R% ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 }1 q/ Q7 B) J& C
! l4 X% A6 h0 f( t1 y__________________________________________________________________________
% ~, u- T% ]( Q" W& ^1 d C
# W0 H4 W9 ]5 g1 l u2 z( ^$ G5 R! iMethod 13" Z% B* m' H( a
=========
. a# z. W8 b3 c- ]
) r) i# \+ p: Z: t! _ hNot a real method of detection, but a good way to know if SoftICE is
! b3 _9 X) L6 V0 b2 J+ P; Cinstalled on a computer and to locate its installation directory.
0 p. [ f* v" q4 lIt is used by few softs which access the following registry keys (usually #2) :3 I1 ?# s; u2 J7 i
2 _+ y, ^1 V9 ]: Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 l3 a' l1 k( x! T) P c
\Uninstall\SoftICE6 o. R, E6 L8 k3 V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' Q+ d8 Y5 t* P2 k( L& q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 _2 ~; v7 S; L! e' D- M q' r\App Paths\Loader32.Exe* [9 B5 O) W- l% E. ^2 u
8 q0 M& L8 ~, u: U' Q
$ |. i# C( |/ X
Note that some nasty apps could then erase all files from SoftICE directory
! J- o2 e; ~" M! |% n(I faced that once :-( z5 Q% {" } V! r, I
) V# @% F( `# |! A) l! h* \% [" W
Useful breakpoint to detect it:" t, f+ |2 z& X
2 T! t- k' p4 L. t2 I7 M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 \+ v8 ?9 E" \" H/ R+ Q0 A! q
" g. t ?1 ^$ d* a' H( H
__________________________________________________________________________& Z& Z" M, c5 K' {" V" _
# j& ]" J0 Y2 ^! _$ U3 K# z
( K# o; r9 d. c) L# w
Method 14
2 M% v6 f9 K3 ^7 K=========- q2 g! I' `, N5 P9 A& Y) h
# G4 z! y" {5 s. C3 M, i% t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 V, h! U8 w- A1 ois to determines whether a debugger is running on your system (ring0 only).- V" _7 `3 K9 ?% v
: l) p5 t5 R8 @' V; d, F: ]4 `0 n
VMMCall Test_Debug_Installed+ @& K+ C; A" y' c0 m. t- H3 M/ U
je not_installed
; _0 E* _. S8 B( K# Z: Q& H( [3 c9 C0 }, b$ \. h: Z
This service just checks a flag.
" y* {; a3 D9 I4 d" U+ `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡