<TABLE width=500>
1 N6 B8 x; }9 D/ |) r<TBODY>% R7 i+ J0 ]0 y+ a- ?0 `3 d
<TR>" g; C B ^' t7 M1 D# z+ \3 M
<TD><PRE>Method 01 * u# ?* }: k& t! q& } E( Y2 e+ n9 ]
=========' q3 Q( x9 w1 ?4 W* s) e$ r; z" |
3 ]! h% t& C$ b6 i5 K6 s) \5 sThis method of detection of SoftICE (as well as the following one) is$ n3 l; ]* I- S. t6 v, o! j
used by the majority of packers/encryptors found on Internet.! `8 O7 K7 J& b* ?
It seeks the signature of BoundsChecker in SoftICE
# V4 ^. b6 u" L" G- U( y( z
' F! S: l% \* B0 F2 E# f9 E mov ebp, 04243484Bh ; 'BCHK'& g# T. ?# _* U9 m' C, U0 H
mov ax, 04h: K' C% P! T% v4 C: Z0 ]( L
int 3
& h) k( Z4 |* h( f+ G cmp al,44 Q3 _- p: s, F: `5 e* S
jnz SoftICE_Detected
2 a' E* e0 d4 o& a+ f/ k3 b/ s1 N
) F" }2 `: Z% [3 |& W1 d___________________________________________________________________________) ?7 x! g, N" P! n
" e* f* g& ^3 `: WMethod 02
" H+ c$ M5 Q( O: u1 K=========
6 V0 j u/ } B3 N3 U
3 n4 R6 r/ @! U" T6 VStill a method very much used (perhaps the most frequent one). It is used& ^" N6 ^/ k9 E. O1 H: k# d5 H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ L, B$ _ P. k; l
or execute SoftICE commands...
& Z/ V) ^8 ^+ y6 DIt is also used to crash SoftICE and to force it to execute any commands1 M, p0 n% b2 M
(HBOOT...) :-((
5 E" O8 T9 X2 C) \# B! Q1 t# r/ J3 l" F3 ~0 M: u4 }7 c
Here is a quick description:
7 N1 ^# x9 \3 H" g; S. `) F$ U-AX = 0910h (Display string in SIce windows)$ z1 e, b" L9 |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 Z: g6 l# W, S
-AX = 0912h (Get breakpoint infos)1 @( A' B( E; @5 A" p
-AX = 0913h (Set Sice breakpoints)6 \" J( z/ ~8 e* h w
-AX = 0914h (Remove SIce breakoints)
5 X+ u( `1 b6 o' y7 \& N7 z
! ]3 h9 v* }# d8 yEach time you'll meet this trick, you'll see:
3 d% W1 n0 ?8 F-SI = 4647h0 T% ]- @1 x. [
-DI = 4A4Dh' ~0 y! r; v- @1 F
Which are the 'magic values' used by SoftIce.2 F: h5 Q8 O* E: f0 m1 t3 g
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 x/ D, H+ r; ~+ v; C' ?9 g$ _
; ^( R# ]$ \+ s9 M7 o* pHere is one example from the file "Haspinst.exe" which is the dongle HASP
& d8 l2 E0 i! a! cEnvelope utility use to protect DOS applications:
' A* V: u9 l" i: Q/ d/ _& f) D4 X9 o& _4 k8 f
, G- M$ a' L! i+ G5 {
4C19:0095 MOV AX,0911 ; execute command.
5 ^) c# q, c$ A# A& H# I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 o, b L8 a* a4C19:009A MOV SI,4647 ; 1st magic value.
+ L: A& E* q; I( h4C19:009D MOV DI,4A4D ; 2nd magic value.
- m5 H8 [& k3 l5 ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% G5 Y' l% `& \# }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 \ h' `0 u, d# c* W: ^
4C19:00A4 INC CX9 o! q% X( e! I2 r; ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# k0 M( m6 ]8 n; t4 p
4C19:00A8 JB 0095 ; 6 different commands.+ U2 d7 M$ T2 s5 [
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: d8 I# I2 @3 C( w
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" q+ W8 t. u u% [2 ?. l9 M) d) N. W9 n; a6 R* K/ T, r
The program will execute 6 different SIce commands located at ds:dx, which
6 S9 J6 O: y1 eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- w) c! t2 F8 Z1 D- b. L# O6 ^
; Y) o/ H& U% _1 S( v( N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: D7 X) \1 m0 c' V; m+ @
___________________________________________________________________________# K# |$ ~: ?! Q8 E; B% [
' }! J: f1 ?, c4 d+ N) V$ D5 n3 i- a" `; h! q6 D
Method 03
, l" t$ ]/ D) E* s* x+ S=========3 R ^ f' I5 Z0 l5 ^: p: o' l; L2 O
: d5 W x7 m% l1 b+ b+ a9 GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 t: g( h5 C7 k2 F' D& O
(API Get entry point)% {' c9 x# \7 A( S
& O0 Q; I/ ~9 ]* W2 ^+ _0 }9 s" b' Z
xor di,di
# C" @6 Y" z9 w1 L& x" R- v0 \6 ] mov es,di
6 ?/ v0 A q, g mov ax, 1684h
3 _% W6 M9 W8 m4 J mov bx, 0202h ; VxD ID of winice
& {# M+ I% Z7 i) `1 B& i- P int 2Fh
`, M9 H" x) U; g, e3 W mov ax, es ; ES:DI -> VxD API entry point h$ t" T# e0 H. `: G4 z! U
add ax, di
8 U/ s6 t! c* u test ax,ax
; W! K$ A9 l# Z' U jnz SoftICE_Detected
- g |2 f; q/ l. W* P6 T
7 S' Y3 A( @ @# x# k: Q9 b" m' [, q3 ^___________________________________________________________________________
; P; a0 m; B; T+ ?/ l% ]3 ^" T" s+ {4 b$ n' v
Method 04" x/ M6 v* z" q
=========
' r, d( W' I8 h: m: X7 U) v& i; k9 C% s
Method identical to the preceding one except that it seeks the ID of SoftICE
% r+ N6 W$ p5 X; n0 x8 e% _GFX VxD.0 L1 G0 X8 z: e# [6 L
# w* G8 T* Z& ] xor di,di8 u% g/ A+ Z/ L4 H1 X- X4 G
mov es,di+ E2 V0 b7 m+ R6 m& w2 }
mov ax, 1684h
( i. J- a: `% D( d% W# A9 z( k2 E mov bx, 7a5Fh ; VxD ID of SIWVID6 m" g+ Q) R6 l, B- P* ?+ O6 t( v# o
int 2fh
0 F# J% ~8 L U mov ax, es ; ES:DI -> VxD API entry point0 E( B @# y1 O( C5 a
add ax, di
# t$ z7 \4 t" N' i6 b test ax,ax
: Q3 q& u) y9 U- k8 V0 | jnz SoftICE_Detected L W {. \1 h' D: ~, L" H
" D3 Q# B# e o$ D2 E
__________________________________________________________________________
, t! e$ ~3 F2 W! l: F) e9 d9 u7 l8 i$ \; q, F
e% [2 m, K H* lMethod 05
# P/ m8 O, {) `9 o( `) l6 r=========
5 k/ ]! p' m+ r4 n7 j/ U2 E) ?8 h
, ~9 p+ x' H4 d/ g$ ]( \Method seeking the 'magic number' 0F386h returned (in ax) by all system
; o' z: H6 Q% I2 ~; r9 n" |2 d$ r! rdebugger. It calls the int 41h, function 4Fh.
" w7 h6 h9 a( G1 kThere are several alternatives.
% \+ ~+ c9 C( t9 Y& `
- Y3 K% E: J; X1 j. l" j0 {The following one is the simplest:4 _& k+ s6 O g
! n. a; s9 ]- ^# L- s8 |
mov ax,4fh) C+ n6 N* R4 J" d, p) E! b
int 41h
( _6 _) E5 ]6 u$ O cmp ax, 0F3861 M; P4 X+ U! P$ F, L
jz SoftICE_detected
# v1 O+ I. [$ k) C: @8 x
v3 C8 m3 J4 E" C4 \9 l" Q
$ x/ t; I3 I. t6 Z, F/ }Next method as well as the following one are 2 examples from Stone's " I0 A9 c$ o4 d {* U3 ~# D2 z! X" a
"stn-wid.zip" (www.cracking.net):
* \0 h. s; K4 [8 Z' R
, n6 l6 V0 o# ]0 g2 t$ j1 f; w mov bx, cs
^5 y: g4 N8 }3 L0 M: w lea dx, int41handler2
: M) f2 p( g* t. q {' ?: u xchg dx, es:[41h*4]5 J2 I2 R# p! l3 j" ]
xchg bx, es:[41h*4+2]
( N1 ^4 g4 H, W) f& H6 J mov ax,4fh* k( r x! H; E- t; q5 p/ w
int 41h
- J/ c" m* N) [4 J3 V. i# T/ j xchg dx, es:[41h*4]
6 Q7 E. l! r/ u' Y1 \# N. T0 L xchg bx, es:[41h*4+2]
# l( c' S8 P+ I, a" ], { x cmp ax, 0f386h4 B- s' ?. A# y6 X6 l
jz SoftICE_detected
9 n0 @' `, c, W9 G# z7 ` k
, d5 Q* m( k% |8 eint41handler2 PROC" B7 v- U# K f
iret7 f- K; T F7 ^4 o3 V
int41handler2 ENDP
% [: [* M! Z$ O# W4 w
2 m( G9 L3 ~1 t
- j- Q. d1 j8 p) p( B_________________________________________________________________________0 d6 X( G6 l) _) d' l- k
5 f1 c9 B7 p1 ?% m& z6 p$ O
- c5 U4 N: J- i/ ?
Method 06* F+ W( i: _6 l/ c2 t
=========6 ?, q' T7 j+ y& j" W, s$ G5 C" ~
4 P: G& f2 n i7 `
* }, X, o# R$ ?% W3 ~0 V. E2nd method similar to the preceding one but more difficult to detect:
* X q; V$ u0 t* x7 a# e. D. M+ |' P7 F8 j6 a+ l1 l( Q8 F* I$ b
8 ?2 h5 j: X) \int41handler PROC
4 L6 u6 W8 C# s mov cl,al% I: f. L: j1 B2 |- t( Y/ g, Z+ x) I- R
iret( C. t1 V4 O* E# _ c
int41handler ENDP& Z4 |/ n3 d& Q2 v- d
~5 o& r- `* `( X# F5 H3 Z7 P
3 D; r r1 Q2 Q* t9 c+ U0 ]+ w xor ax,ax- H0 t# D9 v s- U; r% Q
mov es,ax
- i3 i, {( c" v5 l! c mov bx, cs ^0 R+ M# b( J* k' H
lea dx, int41handler7 Z( W) a, F/ ?1 o" k7 `
xchg dx, es:[41h*4]% T: S0 h; K( k* A. D8 X. b# V
xchg bx, es:[41h*4+2]
; m5 h/ M: @& `. F$ R1 t5 D in al, 40h
2 n' h8 M! F7 k# Z8 |3 `) X xor cx,cx2 N) w8 y* t6 |, I. a# }
int 41h5 r: T2 _* r" Q& h
xchg dx, es:[41h*4]
' D& |% x% |( [ xchg bx, es:[41h*4+2]
: w6 M% z Y- O( e, {9 G cmp cl,al
, T8 z1 D- k }& j5 ?/ v1 t jnz SoftICE_detected- i& o( ~, K( a' \
4 @$ ?, u( A+ V* r& ?& I_________________________________________________________________________
/ t8 W' G& w. U8 m1 ?& G# C3 D- {/ S. f. Y6 W
Method 07* z( \$ F D$ w
=========& X3 Y1 V( G& Q. B
2 K. q$ b9 }6 q, q5 j4 U; n0 \3 U
Method of detection of the WinICE handler in the int68h (V86). X4 y5 n' s7 u
. F/ Y, E1 J# l) |2 ?4 U8 h
mov ah,43h2 o( V/ j& p+ d; Z
int 68h
6 c% U K2 o/ o) i8 V$ H, j cmp ax,0F386h
- i! F4 H. L- C- g& K( p- `$ F jz SoftICE_Detected
# m( u! }' f7 V! a9 [% G# c5 | j& w5 i4 O' q# C2 U
* D! {! a {: S' Q a0 I" }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. K3 O. z5 `$ Z# t1 F
app like this:0 Z% G9 g8 x; r" c" S% y
$ x, x; s [- ^% W
BPX exec_int if ax==68
1 `4 [( I- U4 u$ o0 L) }: W, W0 q (function called is located at byte ptr [ebp+1Dh] and client eip is5 M. B$ o& d x, q4 i/ e6 |
located at [ebp+48h] for 32Bit apps)' v6 t* h6 L6 u1 \5 H) m
__________________________________________________________________________& `! [9 F1 |2 e/ U
' X( d6 N5 F, n) a, U6 x- U0 V
% N2 a% r+ y6 L6 ~5 EMethod 08
$ Y4 C) r% N+ Y0 Q6 B$ [% r+ y' y=========
. l4 l( R8 L: i& ?4 X( _- q! V7 |9 m! @" w
It is not a method of detection of SoftICE but a possibility to crash the7 g% g) o6 h; |
system by intercepting int 01h and int 03h and redirecting them to another
6 r0 F) p# l w9 X+ \0 H+ W& u6 d6 S$ kroutine.4 h( B" i9 f1 o9 [
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' w8 F7 |$ N7 \7 g
to the new routine to execute (hangs computer...)
" `9 P8 b- Z. p% J8 f1 z8 c( b: [9 z" D0 W& P* L) w+ K
mov ah, 25h; i# R* i% f& u4 J5 ]( r( U/ A, S
mov al, Int_Number (01h or 03h)! C5 o! w9 ^/ k8 Z8 ^" L( n
mov dx, offset New_Int_Routine
2 n3 A7 A+ ~/ S* a; c8 u/ o int 21h; G; W7 K) f! w5 F" U" R) D, V) d
8 J4 `/ W2 f% \" {5 k! X__________________________________________________________________________
6 R& x/ c8 A9 e# G; ?8 f5 A% n7 q, n
( Z) x5 K( h( {7 B8 zMethod 09
* b) Q7 ~( |4 N% ?* A5 T3 d# X=========- O( g8 y) ^3 _1 g2 i6 G
" z" p* B" R3 A5 dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( J; `( _6 H# g7 A' j# H
performed in ring0 (VxD or a ring3 app using the VxdCall).+ T: C5 I8 V: @$ L. m) C- x
The Get_DDB service is used to determine whether or not a VxD is installed% F$ F5 j6 d. t9 w4 H) a
for the specified device and returns a Device Description Block (in ecx) for
% i4 w! f9 c4 z3 J/ T% Kthat device if it is installed.
( k3 b" `5 A, {) W) p& k
4 g& w- M) @ b7 H" ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* Y2 X# _% B R8 _' M0 a* y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* O) y8 M* z" f) X, A
VMMCall Get_DDB
+ o3 _9 ]. [! C! `2 [ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* Y3 l* \* E s
; y1 Z4 d2 K3 f' U* d" TNote as well that you can easily detect this method with SoftICE:5 d! S6 I5 `5 O; L6 J
bpx Get_DDB if ax==0202 || ax==7a5fh
( y% b5 u; K3 L" n, k
% e5 y8 b( e) ^6 a. O$ r2 Q2 P__________________________________________________________________________
( F* w% q( \! W1 h$ Y
$ |$ {6 H& E6 S4 D, }7 cMethod 102 c' L0 R9 m5 {% w3 D
=========; ~+ {" O* m( U' ?
& s/ M- F7 B" i$ v9 E! _5 H, G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
. s1 N: ? F. i SoftICE while the option is enable!!3 _3 R$ a6 M, f+ L
% E' h' r) z* B) HThis trick is very efficient:
% f2 [; A. o( L5 ^& Y6 D i# H* cby checking the Debug Registers, you can detect if SoftICE is loaded
: s; P N" M( T- N& y; k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 s/ J8 Q4 d: C5 p; a) S
there are some memory breakpoints set (dr0 to dr3) simply by reading their! g, |) }# a- m- `' f. a2 E. F
value (in ring0 only). Values can be manipulated and or changed as well
( @/ l% T3 P6 U: z6 u5 _: H; e" Q(clearing BPMs for instance)( k3 e9 \1 [$ L3 q# j
! F' {0 J1 n+ ^1 e4 r O__________________________________________________________________________/ D2 `$ `! c) c2 u1 @* E$ q; [3 O
) M6 t4 N0 {$ i7 E$ ~Method 11
+ B6 @) H5 e9 C& F=========6 `- b/ O) f% Q# M4 k/ `; q
2 P! r/ r t; n3 }This method is most known as 'MeltICE' because it has been freely distributed; z# _9 f; p* c! N+ K
via www.winfiles.com. However it was first used by NuMega people to allow
9 _8 k+ o2 V8 Z+ y; ISymbol Loader to check if SoftICE was active or not (the code is located2 h, p* ?6 v" x; D
inside nmtrans.dll).( m8 h! ^ h4 X) Y8 {: n) T5 I0 N
" I. z& U3 o: u3 Q3 T. x9 ^The way it works is very simple: e% q0 d& P) e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) e5 C( G5 K/ c$ ]* m1 h) e7 o
WinNT) with the CreateFileA API.6 s3 W* D8 |- S/ @) ?) C
( O* | z- ]3 A$ N% {' D* P. U6 B
Here is a sample (checking for 'SICE'):
3 k. m4 A3 u h. F! S1 x% l ]* J; l( M4 j s3 t
BOOL IsSoftIce95Loaded()
& {" Z* b3 H |" A c7 C# i* e) H{: V' l$ d; A. H2 I7 M. Y
HANDLE hFile; 5 c, X) g2 k. N+ t! c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 [* f; g- W3 S" y: d" L
FILE_SHARE_READ | FILE_SHARE_WRITE,
. G3 z4 x4 R! s% d# I; X9 R NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 ~( F% U; [6 S Z& ~5 @- J0 y if( hFile != INVALID_HANDLE_VALUE ); @. w0 [. w2 l1 j' D# R7 @
{
: `# [. d( B0 J* u" @2 p8 S0 R! S: [ CloseHandle(hFile);2 l/ _5 z' {1 {" S) n9 I4 x+ I
return TRUE;# w- |' B8 h. M! L
}( n+ Y$ V; L* w8 v$ Q
return FALSE;; F+ ~6 l9 |4 U
}
- s9 ?" f) p5 y# E. _
8 t- t1 j* e6 D, T; F+ n- x$ h$ PAlthough this trick calls the CreateFileA function, don't even expect to be
0 S# X* m7 K" u* }8 t4 ?- F2 ]able to intercept it by installing a IFS hook: it will not work, no way!
4 p( I+ c0 m" r4 U7 hIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' ~, u# {7 k0 ?1 u! R& ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 U6 i7 g6 @/ T/ r# O \. c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 O+ T- u( v1 y2 [' i4 hfield.% ?; l, j' ? O
In fact, its purpose is not to load/unload VxDs but only to send a $ e$ W2 b& B- `3 l J5 x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% f, ~: W) X7 {! M8 d& u% v" r
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" j7 D' V( t/ U* m% t2 h' ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& d) x5 ]! O' WIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 ~+ }: s" P) W" Z0 V0 [9 K
its handle to be opened and then, will be detected.6 y# O8 i9 W- h) M3 U; E
You can check that simply by hooking Winice.exe control proc entry point
% |9 s% a2 c& P! W" ewhile running MeltICE.
. Z- \0 R" a- z' q9 s
3 j3 U; A. N) v8 m2 Y0 X7 X# a, V' u Q
00401067: push 00402025 ; \\.\SICE3 u9 N- T& `9 B
0040106C: call CreateFileA
! X( X* C8 J7 x 00401071: cmp eax,-0014 @5 e2 C) g1 A [
00401074: je 00401091& }( w, @+ \4 w1 u3 [- z
& P6 e$ i. r }0 f2 x$ ]# G% {4 E V1 x# C
There could be hundreds of BPX you could use to detect this trick.8 Z3 b9 u# j8 f5 q; X/ ?( b+ _1 b
-The most classical one is:4 V3 s" C# ]* K% n' b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 `6 k5 }, c8 A n( x) w
*(esp->4+4)=='NTIC'+ j# T6 }) q# q9 n3 [
p2 S% O- L: G7 }+ n& X-The most exotic ones (could be very slooooow :-(& [/ S/ e, F+ ~- c/ U1 z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) _7 i( b2 e) v' D% G: H ;will break 3 times :-(
& @6 s& \+ s! r- P8 v" o6 f$ [& s
/ y. @% n8 ?* _1 K: q+ D* I$ K- K-or (a bit) faster:
+ N& h2 O {1 v& h) q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% `& [' t; t) l
' M: {6 w& t- W( W" z0 V) I( [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 g# q7 V- _3 Q ;will break 3 times :-(# [8 h8 m0 g, J/ {
" D8 d: E9 b8 c# L: z-Much faster:
+ m3 [5 f/ E! v4 ]- y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" ?6 F/ I; O0 ]+ q
+ b, C- p+ E% D/ L4 D% g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 c9 R! V$ S4 K; k1 p8 Sfunction to do the same job:
1 A; c6 p. W' o/ B$ p, R& J0 O& ~; J8 `) d
push 00 ; OF_READ
; d3 b7 ]( j, p; D& ~5 o/ ` mov eax,[00656634] ; '\\.\SICE',0
8 z$ g# ?: Q% C3 S push eax1 M( G! X, n3 E8 G( }- I S9 P# j/ K9 H
call KERNEL32!_lopen* F+ U' I0 p2 a9 Q# B; @2 s
inc eax( @: j. F0 m, o8 r) N7 F, S) i
jnz 00650589 ; detected8 d% i, o: _* ? v
push 00 ; OF_READ S& M2 \; ~% m3 G; U8 @
mov eax,[00656638] ; '\\.\SICE'1 y2 c# u5 ]' S- ^- Y' E
push eax
* _# Y8 `' N$ a6 t# n call KERNEL32!_lopen
: D7 p4 x7 C7 ?& d8 H inc eax
; ] y' \/ v! E9 T3 ?% ]. Y% h jz 006505ae ; not detected& A: T! K/ C) L2 v1 x
% \5 c+ ^+ O' ] O, H3 W
1 I$ U1 \, f& ^& \( [__________________________________________________________________________1 a/ G! n0 [4 x3 o5 ?6 Y
( H5 P: Q( z) U+ PMethod 12
0 d$ ]# M7 c* ]$ G$ R=========
" j4 s1 W3 \! x' T+ y, u- K( m: V! g# n( `2 [+ ~; k. J
This trick is similar to int41h/4fh Debugger installation check (code 05
8 c* {6 M! A1 {* W8 M2 A& 06) but very limited because it's only available for Win95/98 (not NT), |- p* K( N, F& t! o* C" D
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 B* F1 s. r; M( _5 \" o1 `
( ]8 W1 @; s9 j5 P* q/ a push 0000004fh ; function 4fh: o- Z1 ^4 V# Z/ p
push 002a002ah ; high word specifies which VxD (VWIN32)
% @5 e F' H7 Z! h+ S! D ; low word specifies which service
8 f, e B7 y) S1 n (VWIN32_Int41Dispatch)
5 g8 l4 ^1 Z! b8 Y1 j: j- \6 |. z call Kernel32!ORD_001 ; VxdCall
) D& z4 w' y. W( T cmp ax, 0f386h ; magic number returned by system debuggers
R; j" j( r2 G% T7 t jz SoftICE_detected' J$ ?" V% d* X5 O
6 v6 ^& g( \% I) t. e
Here again, several ways to detect it:. T- f2 J$ _" j8 Q% v
# h# p# i, U: q/ q4 @' k' G+ F
BPINT 41 if ax==4f; q0 x. f- J3 D5 T
5 E% p% j Y8 Z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 w' R. E7 U9 f6 W
1 ^! S+ p5 ~% V( |' y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; }+ Q3 {; d, \6 H, X
{# i- c6 @( ?! y: _* k, g1 S" i: N5 i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: |$ c% b/ n+ S& m: \: I
% h P8 r: Q3 a3 t3 G/ x( h
__________________________________________________________________________
0 T3 U4 m( v2 C6 m- F$ M3 ^7 }& f2 p) p! M3 s
Method 13( t% Z8 J7 c* N! K
=========
0 X% z+ L6 L, b6 Z1 C+ f9 T1 C. g2 n5 Q: r) K
Not a real method of detection, but a good way to know if SoftICE is; ]2 n8 M( u6 R" ^+ i
installed on a computer and to locate its installation directory.6 g" f+ ^/ J! d1 z. D; j" L
It is used by few softs which access the following registry keys (usually #2) :
+ |( T6 Z B7 s2 e0 R0 ^0 e" T* X2 E4 k8 d+ z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' S* b( f8 U$ b: d/ v\Uninstall\SoftICE, Z- T1 m$ z. U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. [6 o9 [# B5 O" E5 n& P, _. j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- g0 n" i: f+ R8 u) ? H) l# ?
\App Paths\Loader32.Exe
5 I6 }2 g( }& E- z: {3 }6 G/ T1 M/ j) n. H; l! N
: S$ S& u; \, s( f+ Z6 q" r- n
Note that some nasty apps could then erase all files from SoftICE directory
, \' ]* C7 Q$ @(I faced that once :-(. O# `4 P! W5 `$ m
4 c0 a0 ?2 G, s1 J1 ?& X% AUseful breakpoint to detect it:
; C1 }- J3 f u3 B# X6 I5 w: {) J$ o1 h8 s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' x/ ?$ r" L, p G" i
" T! i# f J- [7 X+ ]
__________________________________________________________________________
# Z1 [; w+ g* C+ g
A" y$ T+ E1 X. L7 V2 r
8 N! P" @2 q1 n1 KMethod 14
8 A& R( e$ K6 e2 x+ L. |+ x2 O=========6 k$ Z$ C4 ~. U
6 P8 ]* ^7 a* m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 i7 ^7 q' b7 B
is to determines whether a debugger is running on your system (ring0 only).
# K3 P, r5 \* R! y5 G$ A' C. j2 B$ k3 V' b: w! w# {
VMMCall Test_Debug_Installed
! \6 z6 I/ ?4 `5 j0 b je not_installed
: y C/ q' X- \* O/ ^, |2 |! K
3 r7 a# H7 V5 iThis service just checks a flag." s3 d# F9 _* f& I& D- \
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡